I have no idea when I have previously looked into those two files (git
history would probably tell me), but I don't think they make much sense,
while the important parts can be cut into conf.d/ and applied
individually as needed.
Strangely Itwjyg is a special case system where I need systemd-resolved
and its opportunistic DNSSEC/DoT. I also accidentally forgot
dns-none.conf (then dns.conf) there, but systemd-resolved.conf appears
to have overridden it, so it was fine and I have now removed the extra
one.
* Vector.im is the identity server that gets restored by itself and I
don't seem to ever have any business to Vector.im website, while
the other domains I need to visit at times.
* use-application-dns.net being NXDOMAIN tells Firefox to not send
traffic to Cloudflare DoH. I thought of this when I saw the news and
got courage to actually do this after seeing that DNSCrypt-proxy also
does so.
Rbtpzn was using them for some reason and was hitting less errors than
Zaldaryn in as basic test as "apt update", so I guess it's worth having
it included. I think I am mainly leaving it for family devices.
> over the last years we had people getting confused over <suite>-updates
> (recommended updates) and <suite>/updates (security updates). Starting
> with Debian 11 "bullseye" we have therefore renamed the suite including
> the security updates to <suite>-security.
https://lists.debian.org/debian-devel-announce/2019/07/msg00004.html
I need unisolated port for dnscrypt-proxy which I fear would otherwise
generate too many circuits which wouldn't even be used and I guess
there is no harm in sending Yggdrasil to a separate port that only has
access to onions which is a port I may sometimes wish I have otherwise
too.
OpenSSH is evil and gives you three not-optimal options to this:
A) trust DNSSEC and don't write known_hosts
B) ask whether to trust DNS, but don't bother telling me if it's signed
C) don't even check SSHFP
I see A) as the least evil, but I wish known_hosts was written.
Alternatively B) should tell me whether there is DNSSEC or not, not
only "matching keys found from DNS" or whatever it says always.
> The ClientPreferIPv6DirPort option is deprecated, and will most likely be removed in a future version of Tor. It has no effect on relays, and has had no effect on clients since 0.2.8. (If you think this is a mistake, please let us know!)
If the lowpower option uses values 40 and 20 which are a lot higher than
mine were and considered suitable for laptops and smartphones, I guess
they are the best for me to use and I find content faster.
It seems that I am always going to enable it sooner or later anyway, so
why woulnd't I have it enabled for quick installing when I do need it?
Example: KDE Connect crashed on login, and asked me to report it, but
the reporter app warned that there is no address to report it and debug
information had one or two stars and said that it's likely bad quality
and I think this is due to missing debug symbols which I then installed.
Naturally after installing them, I am unable to reproduce the issue, but
that is beside the point.
I happened to wonder about reload times and think that this is nice to
have visible here.
Syslog is used by default and I am expecting it so it probably won't
hurt being visible.
Removed my weird comment and added refresh_delay to OpenNIC. I am using
p2 instead of ph as per the wiki as apparently they don't consider
balancing queries over multiple services as important as speed, so maybe
I don't have to worry about that either.
Learning that I don't have to specify servers there is a lot more
variety even if I start requiring more things, as Sedric says to
see 33 live servers, I guess dnscrypt servers in general respect
privacy. However I guess I still have to trust on what the servers
say as AFAIK dnscrypt-proxy is only that, a proxy, and won't start
validating dnssec by itself.
* add invictus, it's not mine, but neither are roubaix (dnscrypt-proxy
dislikes dashes?) and this file is meant for just my use, so does it
matter what it contains?
At the moment I am having problem with mikaela.info being in HSTS
preload list and when I begun this list, I was hoping to use something
conflict free and thought that mikaela.info would be the least bad
choice while reading the reserver domains.
Now I have searched on the issues more and encountered .internal TLD
that seems to be what I am after and I hope it will become official.
https://github.com/wkumari/draft-wkumari-dnsop-internal
I think I can change these addresses safely as I am not using them
anywhere as I worry about accidentally sending them to the internet and
that opening new problems. This will mainly benefit me with web
browsers, I hope.
I will still have to link other people to direct IPv6 addresses that
won't change with the platforms I use or mikaela.info will not be in the
HSTS preload lists at time I need it. I wouldn't memorize IPv4 addresses
though or start telling them someone in quick chat.
It took me some time a few days ago to figure out this (and notice that
port 80 was already used by automatically installed Apache that was
doing nothing).
I have understood that ports 443 (Orport) and 80 (Dirport) are the best
for users behind strict firewalls especially if they aren't needed for
anything else on the system running Tor relay.
* Comment that the fastest server is automatically picked.
* Explicitly don't filter AAAA requests.
* Require provider to not do filtering
* which is implied by DNSSEC which would get broken.
* Use Google DNS B as fallback resolver and explain what it does in
comment.
* Add commented options for using Tor.
Polipo is no longer maintained and it seems that I am doing the same
thing with Privoxy except censoring accept-language which I need to
investigate. I think Privoxy warned about changing headers possibly
making ones fingerprint more unique and thus trackable? But aren't those
also going inside https so maybe there is no point?
Dnscrypt-proxy appears to handle multiple servers by itself nowadays and
does it in the config file. The servers listed may also be down.
Ref: #92 where I remembered these files still being here.
I have no idea why I even have this file :(
I guess the number four has something to do with Windows as resolv.conf
actually doesn't take more than three, am I preparing for situation
where there is no network, but ISP DNS is down or something? Why? When has
that actually happened?
I want DNSMasq to behave a little differently from the NetworkManager
defaults.
The default cache size of 150/400 seems a little small and 10 000 probably
won't be full soon and I am sure modern systems at least at home where I
am using dnsmasq again won't suffer from it.
By default dnsmasq started by NEtworkManager only listens on 127.0.0.1
while ::1 also exists, I want it to be also listened on in case anything
decides to try querying with it.
DNSSEC is not checked by default while I want that behaviour, but as I
am using OpenDNS I cannot make it verify unsigned zones are unsigned :(
Also add symlink to trust-anchors.conf that should ship with DNSSEC to
avoid having to deal with it manually. It should work as a reminder that
it's also needed.
It fails on laptops thanks to not being able to do DNS resolution thanks
to network connection not existing during boot.
Now it fails to `Download snap "ubuntu-core" (423) from channel "stable"
(cannot authenticate to snap store: Provided email/password is not
correct.)` which is process and appears to not be my issue.
Only oidentd.socket and miredo.service were copied instead of being
units that exist in the system and they don't need to do anything
else than fix the issue I have with the stock units.
* oidentd.socket is IPv6-only on my systems unless is BindIPv6Only=both.
because of net.ipv6.bindv6only=1
* miredo.service is here because it starts before there is network
connection (network-online.target) and there is never network
connection with laptops before they are connected to WLAN even if
NetworkManager might be up seeking/connecting to network.