etc/systemd/resolved.conf.d/00-defaults.conf

@@ -7,6 +7,3 @@
 DNSSEC=yes
 DNSOverTLS=opportunistic
 Cache=yes
-DNS=127.0.0.1
-DNS=::1
-Domains=~.

etc/systemd/resolved.conf.d/README.md

@@ -11,12 +11,11 @@ sudo systemctl restart systemd-resolved
 
 ## Files explained
 
-- `00-defaults.conf` - configuration that should be used everywhere.
-  Enables DNSSEC (regardless of systemd-resolved not handling it properly),
-  enables opportunistic DoT, caching and local DNS servers.
+- `00-defaults.conf` - configuration not touching resolvers. Enables DNSSEC
+  (regardless of systemd-resolved not handling it properly), enables
+  opportunistic DoT and caching.
 - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
-  captive portals are a concern, `DNSOverTLS=no`. At least one of these
-  should be used in addition to `00-defaults.conf`
+  captive portals are a concern, `DNSOverTLS=no`.
 - `README.md` - you are reading it right now.
 
 ## General commentary

etc/systemd/resolved.conf.d/dot-adguard.conf

@@ -2,4 +2,8 @@
 DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+Domains=~.
+DNSOverTLS=yes
+Cache=yes
+
+# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html

etc/systemd/resolved.conf.d/dot-cloudflare.conf

@@ -2,4 +2,6 @@
 DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+Domains=~.
+DNSOverTLS=yes
+Cache=yes

etc/systemd/resolved.conf.d/dot-dns0.conf

@@ -5,4 +5,6 @@ DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 193.110.81.0#dns0.eu 185.253.5.0#dns
 #DNS=2a0f:fc80::9#zero.dns0.eu 2a0f:fc81::9#zero.dns0.eu 193.110.81.9#zero.dns0.eu 185.253.5.9#zero.dns0.eu
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+Domains=~.
+DNSOverTLS=yes
+Cache=yes

etc/systemd/resolved.conf.d/dot-mullvad.conf

@@ -6,4 +6,6 @@ DNS=2a07:e340::2#dns.mullvad.net 194.242.2.2#dns.mullvad.net
 #DNS=2a07:e340::9#all.dns.mullvad.net 194.242.2.9#all.dns.mullvad.net
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+Domains=~.
+DNSOverTLS=yes
+Cache=yes

etc/systemd/resolved.conf.d/dot-quad9.conf

@@ -4,4 +4,6 @@
 DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-#DNSOverTLS=yes
+Domains=~.
+DNSOverTLS=yes
+Cache=yes

etc/systemd/resolved.conf.d/nordvpn.conf

@@ -1,3 +1,10 @@
 [Resolve]
+DNSSEC=yes
+DNSOverTLS=no
+Cache=yes
 DNS=2400:bb40:4444::103 2400:bb40:8888::103 ::1
 DNS=103.86.96.100 103.86.99.100 127.0.0.1
+# DNS0.eu/open since I am unsure of the above working without NordVPN with the
+# exception of Unbound
+DNS=2a0f:fc80::ffff 2a0f:fc81::ffff 193.110.81.254 185.253.5.254
+Domains=~.

etc/systemd/resolved.conf.d/unbound.conf

@@ -0,0 +1,12 @@
+# For binding systemd-resolved to Unbound
+[Resolve]
+DNS=127.0.0.1
+DNS=::1
+Domains=~.
+# Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867)
+#DNSSEC=allow-downgrade
+DNSSEC=yes
+# Not needed on localhost
+DNSOverTLS=no
+# Done by Unbound
+Cache=no