Compare commits
5 Commits
3009af55a6
...
a7bb2f5ec8
Author | SHA1 | Date |
---|---|---|
Aminda Suomalainen | a7bb2f5ec8 | |
Aminda Suomalainen | 80ac65acd1 | |
Aminda Suomalainen | cce932960e | |
Aminda Suomalainen | a2e36f2a3b | |
Aminda Suomalainen | da6eab8dfc |
|
@ -30,10 +30,11 @@ AddressRandomizationRange=nic
|
|||
|
||||
[Network]
|
||||
EnableIPv6=true
|
||||
# resolvconf/systemd/none. I prefer configuring resolv.conf/unbound by
|
||||
# myself.
|
||||
#NameResolvingService=systemd
|
||||
NameResolvingService=none
|
||||
# My /etc/resolf.conf is generally ::1 127.0.0.1 127.0.0.53 and I am not
|
||||
# entirely opposed to local servers. The two first are unbound, the third/this
|
||||
# systemd-resolved
|
||||
NameResolvingService=systemd
|
||||
#NameResolvingService=none
|
||||
# Default 300, lower preferred by system. Useful when WiFi is known faster
|
||||
# than ethernet like having 10 Mbps switch from time before the building had
|
||||
# anything faster than DSL...
|
||||
|
|
|
@ -4,9 +4,9 @@
|
|||
# Regardless of the above DNS breaking issues when DNSSEC is
|
||||
# enabled/opportunistic, it provides authentication which is important. TLS
|
||||
# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
|
||||
DNSSEC=yes
|
||||
DNSSEC=true
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=yes
|
||||
Cache=true
|
||||
DNS=127.0.0.1
|
||||
DNS=::1
|
||||
Domains=~.
|
||||
|
|
|
@ -1,5 +1,20 @@
|
|||
# systemd-resolved additional config files
|
||||
|
||||
<!-- editorconfig-checker-disable -->
|
||||
<!-- prettier-ignore-start -->
|
||||
|
||||
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
|
||||
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
|
||||
|
||||
- [Quickstart](#quickstart)
|
||||
- [Files explained](#files-explained)
|
||||
- [General commentary](#general-commentary)
|
||||
|
||||
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
|
||||
|
||||
<!-- prettier-ignore-end -->
|
||||
<!-- editorconfig-checker-enable -->
|
||||
|
||||
## Quickstart
|
||||
|
||||
```bash
|
||||
|
@ -15,15 +30,14 @@ sudo systemctl restart systemd-resolved
|
|||
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
||||
enables opportunistic DoT, caching and local DNS servers.
|
||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
|
||||
captive portals are a concern, `DNSOverTLS=no`. At least one of these
|
||||
captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
|
||||
should be used in addition to `00-defaults.conf`
|
||||
- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
|
||||
- `README.md` - you are reading it right now.
|
||||
|
||||
## General commentary
|
||||
|
||||
- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
|
||||
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
|
||||
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
|
||||
- DNSOverTLS became supported in systemd v239, strict mode (true) in
|
||||
v243 (big improvements in v244).
|
||||
- TODO: find out when SNI became supported, I have just spotted it in the
|
||||
fine manual in 2020-06-??.
|
||||
|
@ -32,10 +46,13 @@ sudo systemctl restart systemd-resolved
|
|||
- DNSSEC may not work if the system is down for a long time and not updated.
|
||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||
potential downgrade attack. There are also captive portals, affecting
|
||||
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
|
||||
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
`DNSOverTLS`. Both take `true` or `false` or their own special option,
|
||||
for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
- Then again when was any system that outdated to not have working DNSSEC?
|
||||
- TODO: return to this configuration should that actually happen?
|
||||
- I am actually running Unbound simultaneously with `resolv.conf` pointing
|
||||
to both with `options rotate edns0 trust-ad` which might workaround that
|
||||
potential issue.
|
||||
|
||||
Other links I have found important and my files are based on:
|
||||
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
|
||||
# Uncomment for port 443 resolver
|
||||
#DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
|
||||
#DNSOverTLS=yes
|
||||
#DNSOverTLS=true
|
||||
|
|
|
@ -2,4 +2,4 @@
|
|||
DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
|
||||
# Uncomment for port 443 resolver
|
||||
#DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
|
||||
#DNSOverTLS=yes
|
||||
#DNSOverTLS=true
|
||||
|
|
|
@ -5,4 +5,4 @@ DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 193.110.81.0#dns0.eu 185.253.5.0#dns
|
|||
#DNS=2a0f:fc80::9#zero.dns0.eu 2a0f:fc81::9#zero.dns0.eu 193.110.81.9#zero.dns0.eu 185.253.5.9#zero.dns0.eu
|
||||
# Uncomment for port 443 resolver
|
||||
#DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
|
||||
#DNSOverTLS=yes
|
||||
#DNSOverTLS=true
|
||||
|
|
|
@ -6,4 +6,4 @@ DNS=2a07:e340::2#dns.mullvad.net 194.242.2.2#dns.mullvad.net
|
|||
#DNS=2a07:e340::9#all.dns.mullvad.net 194.242.2.9#all.dns.mullvad.net
|
||||
# Uncomment for port 443 resolver
|
||||
#DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
|
||||
#DNSOverTLS=yes
|
||||
#DNSOverTLS=true
|
||||
|
|
|
@ -4,4 +4,4 @@
|
|||
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
|
||||
# Uncomment for port 443 resolver
|
||||
#DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
|
||||
#DNSOverTLS=yes
|
||||
#DNSOverTLS=true
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
[Resolve]
|
||||
DNS=2400:bb40:4444::103 2400:bb40:8888::103 ::1
|
||||
DNS=103.86.96.100 103.86.99.100 127.0.0.1
|
||||
DNS=2400:bb40:4444::103 2400:bb40:8888::103
|
||||
DNS=103.86.96.100 103.86.99.100
|
||||
|
|
Loading…
Reference in New Issue