From e52b25bfaa14d7e30176f6d8b73f88ca0b9f2981 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Wed, 12 Mar 2025 20:43:26 +0200 Subject: [PATCH] {unbound,systemd-resolved}: cleanup, disable ECS in unused quad9 file --- etc/systemd/resolved.conf.d/10-dot-quad9.conf | 8 +- .../unbound.conf.d/dot-adguard-dns0.conf | 1 - .../unbound.conf.d/dot-dns0-quad9.conf | 33 ------- .../dot-fluhable-cache.conf.badidea | 33 ------- .../unbound.conf.d/dot-private-ecs.conf | 26 ------ .../dot-provider-zones.conf.badidea | 86 ------------------ etc/unbound/unbound.conf.d/dot-quad9.conf | 32 +++---- etc/unbound/unbound.conf.d/ecs.conf.sample | 18 ---- .../well-known-dns.conf.badidea | 89 ------------------- 9 files changed, 20 insertions(+), 306 deletions(-) delete mode 120000 etc/unbound/unbound.conf.d/dot-adguard-dns0.conf delete mode 100644 etc/unbound/unbound.conf.d/dot-dns0-quad9.conf delete mode 100644 etc/unbound/unbound.conf.d/dot-fluhable-cache.conf.badidea delete mode 100644 etc/unbound/unbound.conf.d/dot-private-ecs.conf delete mode 100644 etc/unbound/unbound.conf.d/dot-provider-zones.conf.badidea delete mode 100644 etc/unbound/unbound.conf.d/ecs.conf.sample delete mode 100644 etc/unbound/unbound.conf.d/well-known-dns.conf.badidea diff --git a/etc/systemd/resolved.conf.d/10-dot-quad9.conf b/etc/systemd/resolved.conf.d/10-dot-quad9.conf index 8215b037..2bd39105 100644 --- a/etc/systemd/resolved.conf.d/10-dot-quad9.conf +++ b/etc/systemd/resolved.conf.d/10-dot-quad9.conf @@ -3,14 +3,14 @@ # encryption, but host a Quad9 node and giving these addresses instead. [Resolve] # Secure -#DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net -#DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net +DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net +DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net # No Threat Blocking #DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net [2620:fe::10]:8853#dns10.quad9.net [2620:fe::fe:10]:8853#dns10.quad9.net #DNS=149.112.112.10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10:8853#dns10.quad9.net 9.9.9.10:8853#dns10.quad9.net # Secure + ECS. IPv4 first so it gets preferred as my Unbound likely prefers IPv6 anyway. -DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net -DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net +#DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net +#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net # No Threat Blocking + ECS #DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net #DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net diff --git a/etc/unbound/unbound.conf.d/dot-adguard-dns0.conf b/etc/unbound/unbound.conf.d/dot-adguard-dns0.conf deleted file mode 120000 index 4290b259..00000000 --- a/etc/unbound/unbound.conf.d/dot-adguard-dns0.conf +++ /dev/null @@ -1 +0,0 @@ -dot-private-ecs.conf \ No newline at end of file diff --git a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf deleted file mode 100644 index d02afd02..00000000 --- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf +++ /dev/null @@ -1,33 +0,0 @@ -# This is a merging of dot-dns0.conf & dot-quad9.conf with weight on DNS0 -# IPv4 and when using IPv6, Quad9 Secure with ECS. IPv6 private ECS is -# horribly inaccurate and I have minor leaning towards having ECS enabled. -# Private ECS is a compromise between privacy and local destinations. -# -# Both are filtering DNS servers, so this brings risk of something being -# blocked by only one of them. However both are non-profits and have servers -# in Finland. - -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no - -forward-zone: - name: "." - forward-tls-upstream: yes -## DNS0.eu IPv4 Default - forward-addr: 193.110.81.0@853#dns0.eu - forward-addr: 185.253.5.0@853#dns0.eu -## Quad9 IPv6 Secure + ECS - forward-addr: 2620:fe::11@8853#dns11.quad9.net - forward-addr: 2620:fe::fe:11@853#dns11.quad9.net - forward-addr: 2620:fe::11@853#dns11.quad9.net - forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf.badidea b/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf.badidea deleted file mode 100644 index 1d072f47..00000000 --- a/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf.badidea +++ /dev/null @@ -1,33 +0,0 @@ -# NOTE! Requires Unbound 1.7.3 or newer! -# Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html - -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora location - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no - -# DNS servers that have public button for flushing cache. Privacy not considered. - -forward-zone: - name: "." - forward-tls-upstream: yes - - # Cloudflare / https://1.1.1.1/purge-cache/ - forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com - forward-addr: 1.1.1.1@853#cloudflare-dns.com - forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com - forward-addr: 1.0.0.1@853#cloudflare-dns.com - - # Google / https://dns.google/cache - forward-addr: 8.8.8.8@853#dns.google - forward-addr: 8.8.4.4@853#dns.google - forward-addr: 2001:4860:4860::8888@853#dns.google - forward-addr: 2001:4860:4860::8844@853#dns.google - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-private-ecs.conf b/etc/unbound/unbound.conf.d/dot-private-ecs.conf deleted file mode 100644 index 6d64c87a..00000000 --- a/etc/unbound/unbound.conf.d/dot-private-ecs.conf +++ /dev/null @@ -1,26 +0,0 @@ -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no -# AdGuard Public DNS without filtering. -forward-zone: - name: "." - forward-tls-upstream: yes - # AdGuard Public DNS without filtering - forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com - forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com - forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com - forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com - # DNS0.eu without filtering - forward-addr: 193.110.81.254@853#open.dns0.eu - forward-addr: 185.253.5.254@853#open.dns0.eu - forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu - forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-provider-zones.conf.badidea b/etc/unbound/unbound.conf.d/dot-provider-zones.conf.badidea deleted file mode 100644 index 3de60bb5..00000000 --- a/etc/unbound/unbound.conf.d/dot-provider-zones.conf.badidea +++ /dev/null @@ -1,86 +0,0 @@ -# This file attempts to send zones belonging to DNS operators to their DNS servers. -# Inclusion criteria: I know and use the service. - -server: - # Debian ca-certificates location - #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt - # Fedora - #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - # Use system certificates no matter where they are - tls-system-cert: yes - # Quad9 says pointless performance impact on forwarders. - # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization - qname-minimisation: no - -forward-zone: - name: "google" - forward-tls-upstream: yes - # Must be explicit forward-addr for dns.google to be found - forward-addr: 2001:4860:4860::8844@853#dns.google - forward-addr: 2001:4860:4860::8888@853#dns.google - forward-addr: 8.8.4.4@853#dns.google - forward-addr: 8.8.8.8@853#dns.google - -forward-zone: - name: "google.fi" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -forward-zone: - name: "google.com" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -forward-zone: - name: "youtube.com" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -forward-zone: - name: "youtube-nocookie.com" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -forward-zone: - name: "youtu.be" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -forward-zone: - name: "googlevideo.com" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -forward-zone: - name: "ytimg.com" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -# forward-zone: -# name: "googleusercontent.com" -# forward-tls-upstream: yes -# forward-host: dns.google@853#dns.google - - -forward-zone: - name: "gstatic.com" - forward-tls-upstream: yes - forward-host: dns.google@853#dns.google - -forward-zone: - name: "cloudflare-dns.com" - # Must be explicit for forward-addr - forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com - forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com - forward-addr: 1.1.1.2@853#security.cloudflare-dns.com - forward-addr: 1.0.0.2@853#security.cloudflare-dns.com - -forward-zone: - name: "cloudflare.com" - forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com - -forward-zone: - name: "one.one" - forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/dot-quad9.conf b/etc/unbound/unbound.conf.d/dot-quad9.conf index 61c117b5..d15b6f4f 100644 --- a/etc/unbound/unbound.conf.d/dot-quad9.conf +++ b/etc/unbound/unbound.conf.d/dot-quad9.conf @@ -17,14 +17,14 @@ forward-zone: name: "." forward-tls-upstream: yes ## Secure - #forward-addr: 2620:fe::fe@853#dns.quad9.net - #forward-addr: 2620:fe::fe@8853#dns.quad9.net - #forward-addr: 2620:fe::9@853#dns.quad9.net - #forward-addr: 2620:fe::9@8853#dns.quad9.net - #forward-addr: 9.9.9.9@853#dns.quad9.net - #forward-addr: 9.9.9.9@8853#dns.quad9.net - #forward-addr: 149.112.112.112@853#dns.quad9.net - #forward-addr: 149.112.112.112@8853#dns.quad9.net + forward-addr: 2620:fe::fe@853#dns.quad9.net + forward-addr: 2620:fe::fe@8853#dns.quad9.net + forward-addr: 2620:fe::9@853#dns.quad9.net + forward-addr: 2620:fe::9@8853#dns.quad9.net + forward-addr: 9.9.9.9@853#dns.quad9.net + forward-addr: 9.9.9.9@8853#dns.quad9.net + forward-addr: 149.112.112.112@853#dns.quad9.net + forward-addr: 149.112.112.112@8853#dns.quad9.net ## No Threat Blocking #forward-addr: 2620:fe::fe:10@853#dns10.quad9.net #forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net @@ -35,14 +35,14 @@ forward-zone: #forward-addr: 9.9.9.10@853#dns10.quad9.net #forward-addr: 9.9.9.10@8853#dns10.quad9.net ## Secure + ECS - forward-addr: 2620:fe::fe:11@853#dns11.quad9.net - forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net - forward-addr: 9.9.9.11@853#dns11.quad9.net - forward-addr: 9.9.9.11@8853#dns11.quad9.net - forward-addr: 2620:fe::11@853#dns11.quad9.net - forward-addr: 2620:fe::11@8853#dns11.quad9.net - forward-addr: 149.112.112.11@853#dns11.quad9.net - forward-addr: 149.112.112.11@8853#dns11.quad9.net + #forward-addr: 2620:fe::fe:11@853#dns11.quad9.net + #forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net + #forward-addr: 9.9.9.11@853#dns11.quad9.net + #forward-addr: 9.9.9.11@8853#dns11.quad9.net + #forward-addr: 2620:fe::11@853#dns11.quad9.net + #forward-addr: 2620:fe::11@8853#dns11.quad9.net + #forward-addr: 149.112.112.11@853#dns11.quad9.net + #forward-addr: 149.112.112.11@8853#dns11.quad9.net ## No Threat Blocking + ECS #forward-addr: 2620:fe::fe:12@853#dns12.quad9.net #forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net diff --git a/etc/unbound/unbound.conf.d/ecs.conf.sample b/etc/unbound/unbound.conf.d/ecs.conf.sample deleted file mode 100644 index 131048d9..00000000 --- a/etc/unbound/unbound.conf.d/ecs.conf.sample +++ /dev/null @@ -1,18 +0,0 @@ -# This will only affect servers that are accessed with public IP address! -server: -#module-config: "ipsecmod validator iterator" -# subnetcache must be loaded for ecs -module-config: "subnetcache validator iterator" -# Send ECS everywhere always -client-subnet-zone: "." -client-subnet-always-forward: yes -# Send different subnet size -#max-client-subnet-ipv6: "16" -#max-client-subnet-ipv4: "0" - -# IP address to send client subnets TO. Optionally /CIDR can be appended. -# This actually means AUTHORITY servers! -#send-client-subnet: -#send-client-subnet: - -# vim: filetype=unbound.conf diff --git a/etc/unbound/unbound.conf.d/well-known-dns.conf.badidea b/etc/unbound/unbound.conf.d/well-known-dns.conf.badidea deleted file mode 100644 index d56450ed..00000000 --- a/etc/unbound/unbound.conf.d/well-known-dns.conf.badidea +++ /dev/null @@ -1,89 +0,0 @@ -# The point of this file is to have these domains just work without having -# to send queries, even if they are queried by web browser. -server: -# Quad9 Secure - local-zone: "dns.quad9.net." typetransparent - local-data: "dns.quad9.net. A 9.9.9.9" - local-data: "dns.quad9.net. A 149.112.112.112" - local-data: "dns.quad9.net. AAAA 2620:fe::fe" - local-data: "dns.quad9.net. AAAA 2620:fe::9" -# Quad9 No Threat Blocking - local-zone: "dns10.quad9.net." typetransparent - local-data: "dns10.quad9.net. A 9.9.9.10" - local-data: "dns10.quad9.net. A 149.112.112.10" - local-data: "dns10.quad9.net. AAAA 2620:fe::10" - local-data: "dns10.quad9.net. AAAA 2620:fe::fe:10" -# Quad9 Secure + ECS - local-zone: "dns11.quad9.net." typetransparent - local-data: "dns11.quad9.net. A 9.9.9.11" - local-data: "dns11.quad9.net. A 149.112.112.11" - local-data: "dns11.quad9.net. AAAA 2620:fe::11" - local-data: "dns11.quad9.net. AAAA 2620:fe::fe:11" -# Quad9 No Threat Blocking + ECS - local-zone: "dns12.quad9.net." typetransparent - local-data: "dns12.quad9.net. A 9.9.9.12" - local-data: "dns12.quad9.net. A 149.112.112.12" - local-data: "dns12.quad9.net. AAAA 2620:fe::12" - local-data: "dns12.quad9.net. AAAA 2620:fe::fe:12" -# DNS0 default - local-zone: "dns0.eu." typetransparent - local-data: "dns0.eu. A 193.110.81.0" - local-data: "dns0.eu. A 185.253.5.0" - local-data: "dns0.eu. AAAA 2a0f:fc80::" - local-data: "dns0.eu. AAAA 2a0f:fc81::" -# DNS0 Zero - local-zone: "zero.dns0.eu." typetransparent - local-data: "zero.dns0.eu. A 193.110.81.9" - local-data: "zero.dns0.eu. A 185.253.5.9" - local-data: "zero.dns0.eu. AAAA 2a0f:fc80::9" - local-data: "zero.dns0.eu. AAAA 2a0f:fc81::9" -# DNS0 Kids - local-zone: "kids.dns0.eu." typetransparent - local-data: "kids.dns0.eu. A 193.110.81.1" - local-data: "kids.dns0.eu. A 185.253.5.1" - local-data: "kids.dns0.eu. AAAA 2a0f:fc80::1" - local-data: "kids.dns0.eu. AAAA 2a0f:fc81::1" -# DNS0 Open - local-zone: "open.dns0.eu." typetransparent - local-data: "open.dns0.eu. A 193.110.81.254" - local-data: "open.dns0.eu. A 185.253.5.254" - local-data: "open.dns0.eu. AAAA 2a0f:fc80::ffff" - local-data: "open.dns0.eu. AAAA 2a0f:fc81::ffff" -# Cloudflare - local-zone: "cloudflare-dns.com." typetransparent - local-data: "cloudflare-dns.com. A 1.1.1.1" - local-data: "cloudflare-dns.com. A 1.0.0.1" - local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1111" - local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1001" - local-zone: "one.one.one.one." typetransparent - local-data: "one.one.one.one. CNAME cloudflare-dns.com." -# Cloudflare Malware blocking - local-zone: "security.cloudflare-dns.com." typetransparent - local-data: "security.cloudflare-dns.com. A 1.1.1.2" - local-data: "security.cloudflare-dns.com. A 1.0.0.2" - local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1112" - local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1002" -# Mullvad ad, tracker & malware block - local-zone: "base.dns.mullvad.net." typetransparent - local-data: "base.dns.mullvad.net. A 194.242.2.4" - local-data: "base.dns.mullvad.net. AAAA 2a07:e340::4" -# AdGuard Default - local-zone: "dns.adguard-dns.com." typetransparent - local-data: "dns.adguard-dns.com. A 94.140.14.14" - local-data: "dns.adguard-dns.com. A 94.140.15.15" - local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad1:ff" - local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad2:ff" -# Google DNS - local-zone: "dns.google." typetransparent - local-data: "dns.google. A 8.8.8.8" - local-data: "dns.google. A 8.8.4.4" - local-data: "dns.google. AAAA 2001:4860:4860::8888" - local-data: "dns.google. AAAA 2001:4860:4860::8844" - local-zone: "dns.google.com." typetransparent - local-data: "dns.google.com. CNAME dns.google." -# Google DNS64 - local-zone: "dns64.dns.google." typetransparent - local-data: "dns64.dns.google. AAAA 2001:4860:4860::6464" - local-data: "dns64.dns.google. AAAA 2001:4860:4860::64" - -# vim: filetype=unbound.conf