From f31cb882a5761a683debbdaa866f07ecd264d9ce Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Tue, 26 Dec 2023 10:51:30 +0200 Subject: [PATCH] practically rewrite etc/resolv.conf --- etc/resolv.conf | 46 ++++++++++++++++++++-------------------------- 1 file changed, 20 insertions(+), 26 deletions(-) diff --git a/etc/resolv.conf b/etc/resolv.conf index 1d107e2c..f313a7ad 100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -1,32 +1,26 @@ -# notes on resolv.conf, actual DNS resolvers in resolv.csv (not a system -# config file) +# Don't do this, just run this instead: +# sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf + +# Problem: unbound is slow to start and everything complains of failing DNS, +# and systemd-resolved often gets itself stuck with DNSSEC. +# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867 +# Solution that I dislike: use both unbound & systemd-resolved! When one +# breaks, maybe the other still works! Funnily /etc/resolv.conf is still +# restricted to three nameservers. + +# unbound +nameserver ::1 +nameserver 127.0.0.1 -# Local resolver (Unbound?) -#nameserver 127.0.0.1 -#nameserver ::1 # systemd-resolved -#nameserver 127.0.0.51 -# dnscrypt-proxy directly (Debian/systemd) -#nameserver 127.0.2.1 +nameserver 127.0.0.53 -# trust-ad option is required from glibc2.31+ to tell everything to trust -# AD/DNSSEC in case there is a localhost DNS server that validates it -options edns0 single-request-reopen trust-ad +# randomly utilize both, extended DNS, trust DNSSEC from both +options rotate edns0 trust-ad -# Disable search domains by looking for . +# no sending local domain to upstream whenever NXDOMAIN happens search . -# note and remember missing DNSSEC -# use.opendns.com http://208.69.38.205/ -# system.opendns.com http://208.69.38.170/ - -# systemd-resolved symlink files: -# !!! /run/systemd/resolve/stub-resolv.conf !!! /usr/lib/systemd/resolv.conf /run/systemd/resolve/resolv.conf - -# !!! /run/systemd/resolve/stub-resolv.conf !!! contains search domains and doesn't seem to be -# overwritable and somehow works with Mullvad -# https://github.com/mullvad/mullvadvpn-app/issues/1952 -# /usr/lib/systemd/resolv.conf doesn't contain search domains, can -# get overwritten and "broken" -# /run/systemd/resolve/resolv.conf contains uplink resolvers and domains -# SHOULDN'T BE USED! +# PS. Remove empty lines and comments if this ends up in /etc/resolv.conf +# PPS. The traditional spell is: +# sudo chattr -i /etc/resolv.conf;sudo nvim /etc/resolv.conf;sudo chattr +i /etc/resolv.conf