From f31cb882a5761a683debbdaa866f07ecd264d9ce Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Tue, 26 Dec 2023 10:51:30 +0200
Subject: [PATCH] practically rewrite etc/resolv.conf

---
 etc/resolv.conf | 46 ++++++++++++++++++++--------------------------
 1 file changed, 20 insertions(+), 26 deletions(-)

diff --git a/etc/resolv.conf b/etc/resolv.conf
index 1d107e2c..f313a7ad 100644
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@@ -1,32 +1,26 @@
-# notes on resolv.conf, actual DNS resolvers in resolv.csv (not a system
-# config file)
+# Don't do this, just run this instead:
+#     sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+# Problem: unbound is slow to start and everything complains of failing DNS,
+# and systemd-resolved often gets itself stuck with DNSSEC.
+# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
+# Solution that I dislike: use both unbound & systemd-resolved! When one
+# breaks, maybe the other still works! Funnily /etc/resolv.conf is still
+# restricted to three nameservers.
+
+# unbound
+nameserver ::1
+nameserver 127.0.0.1
 
-# Local resolver (Unbound?)
-#nameserver 127.0.0.1
-#nameserver ::1
 # systemd-resolved
-#nameserver 127.0.0.51
-# dnscrypt-proxy directly (Debian/systemd)
-#nameserver 127.0.2.1
+nameserver 127.0.0.53
 
-# trust-ad option is required from glibc2.31+ to tell everything to trust
-# AD/DNSSEC in case there is a localhost DNS server that validates it
-options edns0 single-request-reopen trust-ad
+# randomly utilize both, extended DNS, trust DNSSEC from both
+options rotate edns0 trust-ad
 
-# Disable search domains by looking for .
+# no sending local domain to upstream whenever NXDOMAIN happens
 search .
 
-# note and remember missing DNSSEC
-# use.opendns.com http://208.69.38.205/
-# system.opendns.com http://208.69.38.170/
-
-# systemd-resolved symlink files:
-# !!! /run/systemd/resolve/stub-resolv.conf !!! /usr/lib/systemd/resolv.conf /run/systemd/resolve/resolv.conf
-
-# !!! /run/systemd/resolve/stub-resolv.conf !!! contains search domains and doesn't seem to be
-#									   overwritable and somehow works with Mullvad
-#									   https://github.com/mullvad/mullvadvpn-app/issues/1952
-# /usr/lib/systemd/resolv.conf		  doesn't contain search domains, can
-#									   get overwritten and "broken"
-# /run/systemd/resolve/resolv.conf	  contains uplink resolvers and domains
-#									   SHOULDN'T BE USED!
+# PS. Remove empty lines and comments if this ends up in /etc/resolv.conf
+# PPS. The traditional spell is:
+#    sudo chattr -i /etc/resolv.conf;sudo nvim /etc/resolv.conf;sudo chattr +i /etc/resolv.conf