etc/iwd/main.conf: update comments on DNS

etc/iwd/main.conf

@@ -30,10 +30,11 @@ AddressRandomizationRange=nic
 
 [Network]
 EnableIPv6=true
-# resolvconf/systemd/none. I prefer configuring resolv.conf/unbound by
-# myself.
-#NameResolvingService=systemd
-NameResolvingService=none
+# My /etc/resolf.conf is generally ::1 127.0.0.1 127.0.0.53 and I am not
+# entirely opposed to local servers. The two first are unbound, the third/this
+# systemd-resolved
+NameResolvingService=systemd
+#NameResolvingService=none
 # Default 300, lower preferred by system. Useful when WiFi is known faster
 # than ethernet like having 10 Mbps switch from time before the building had
 # anything faster than DSL...

etc/systemd/resolved.conf.d/00-defaults.conf

@@ -4,9 +4,9 @@
 # Regardless of the above DNS breaking issues when DNSSEC is
 # enabled/opportunistic, it provides authentication which is important. TLS
 # cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
-DNSSEC=yes
+DNSSEC=true
 DNSOverTLS=opportunistic
-Cache=yes
+Cache=true
 DNS=127.0.0.1
 DNS=::1
 Domains=~.

etc/systemd/resolved.conf.d/README.md

@@ -1,5 +1,20 @@
 # systemd-resolved additional config files
 
+<!-- editorconfig-checker-disable -->
+<!-- prettier-ignore-start -->
+
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+- [Quickstart](#quickstart)
+- [Files explained](#files-explained)
+- [General commentary](#general-commentary)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+<!-- prettier-ignore-end -->
+<!-- editorconfig-checker-enable -->
+
 ## Quickstart
 
 ```bash
@@ -15,15 +30,14 @@ sudo systemctl restart systemd-resolved
   Enables DNSSEC (regardless of systemd-resolved not handling it properly),
   enables opportunistic DoT, caching and local DNS servers.
 - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
-  captive portals are a concern, `DNSOverTLS=no`. At least one of these
+  captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
   should be used in addition to `00-defaults.conf`
+- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
 - `README.md` - you are reading it right now.
 
 ## General commentary
 
-- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
-  at the time of writing this README.md, the current version is Ubuntu 20.04.0)
-  (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
+- DNSOverTLS became supported in systemd v239, strict mode (true) in
   v243 (big improvements in v244).
   - TODO: find out when SNI became supported, I have just spotted it in the
     fine manual in 2020-06-??.
@@ -32,10 +46,13 @@ sudo systemctl restart systemd-resolved
 - DNSSEC may not work if the system is down for a long time and not updated.
   Thus `allow-downgrade` may be better for non-tech people, even with the
   potential downgrade attack. There are also captive portals, affecting
-  `DNSOverTLS`. Both take `yes` or `no` or their own special option,
-  for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
+  `DNSOverTLS`. Both take `true` or `false` or their own special option,
+  for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
   - Then again when was any system that outdated to not have working DNSSEC?
     - TODO: return to this configuration should that actually happen?
+    - I am actually running Unbound simultaneously with `resolv.conf` pointing
+      to both with `options rotate edns0 trust-ad` which might workaround that
+      potential issue.
 
 Other links I have found important and my files are based on:
 

etc/systemd/resolved.conf.d/dot-adguard.conf

@@ -2,4 +2,4 @@
 DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+#DNSOverTLS=true

etc/systemd/resolved.conf.d/dot-cloudflare.conf

@@ -2,4 +2,4 @@
 DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+#DNSOverTLS=true

etc/systemd/resolved.conf.d/dot-dns0.conf

@@ -5,4 +5,4 @@ DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 193.110.81.0#dns0.eu 185.253.5.0#dns
 #DNS=2a0f:fc80::9#zero.dns0.eu 2a0f:fc81::9#zero.dns0.eu 193.110.81.9#zero.dns0.eu 185.253.5.9#zero.dns0.eu
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+#DNSOverTLS=true

etc/systemd/resolved.conf.d/dot-mullvad.conf

@@ -6,4 +6,4 @@ DNS=2a07:e340::2#dns.mullvad.net 194.242.2.2#dns.mullvad.net
 #DNS=2a07:e340::9#all.dns.mullvad.net 194.242.2.9#all.dns.mullvad.net
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+#DNSOverTLS=true

etc/systemd/resolved.conf.d/dot-quad9.conf

@@ -4,4 +4,4 @@
 DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+#DNSOverTLS=true

etc/systemd/resolved.conf.d/nordvpn.conf

@@ -1,3 +1,3 @@
 [Resolve]
-DNS=2400:bb40:4444::103 2400:bb40:8888::103 ::1
-DNS=103.86.96.100 103.86.99.100 127.0.0.1
+DNS=2400:bb40:4444::103 2400:bb40:8888::103
+DNS=103.86.96.100 103.86.99.100