hosts/dns: comment where it begins and where it ends

This will break DNSSEC and a lot of things.

etc/hosts/README.md

@@ -0,0 +1,36 @@
+# `/etc/hosts`
+
+This file is DNS before DNS and legacy remain which is still used.
+
+<!-- editorconfig-checker-disable -->
+<!-- prettier-ignore-start -->
+
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+- [dns](#dns)
+- [`hosts.fedora`](#hostsfedora)
+- [`hosts.debian`](#hostsdebian)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+<!-- prettier-ignore-end -->
+<!-- editorconfig-checker-enable -->
+
+## dns
+
+This began from question why should I have DNS to have DNS, but having it
+on DNS resolver level broke DNSSEC due to my weird mixing of systemd-resolved
+and Unbound, so now it's something I can attempt to `/etc/hosts`.
+
+**_EXCERCISE CAUTION!_**
+
+## `hosts.fedora`
+
+I am pretty sure this is the `/etc/hosts` that was given me by Fedora < 40
+with changes removed.
+
+## `hosts.debian`
+
+I think this is the Debian format which used to be just `../hosts` in this
+repository.

etc/hosts/dns

@@ -0,0 +1,84 @@
+##### BEGIN DNS RESOLVER LIST #####
+
+# Well known DNS servers to be appended to /etc/hosts
+
+# Quad 9 Secure
+9.9.9.9 dns.quad9.net
+149.112.112.112 dns.quad9.net
+2620:fe::fe dns.quad9.net
+2620:fe::9 dns.quad9.net
+
+# Quad9 No Threat Blocking
+9.9.9.10 dns10.quad9.net
+149.112.112.10 dns10.quad9.net
+2620:fe::10 dns10.quad9.net
+2620:fe::fe:10 dns10.quad9.net
+
+# Quad9 Secure + ECS
+9.9.9.11 dns11.quad9.net
+149.112.112.11 dns11.quad9.net
+2620:fe::11 dns11.quad9.net
+2620:fe::fe:11 dns11.quad9.net
+
+# Quad9 No Threat Blocking + ECS
+9.9.9.12 dns12.quad9.net
+149.112.112.12 dns12.quad9.net
+2620:fe::12 dns12.quad9.net
+2620:fe::fe:12 dns12.quad9.net
+
+# DNS0 default
+193.110.81.0 dns0.eu
+185.253.5.0 dns0.eu
+2a0f:fc80:: dns0.eu
+2a0f:fc81:: dns0.eu
+
+# DNS0 Zero
+193.110.81.9 zero.dns0.eu
+185.253.5.9 zero.dns0.eu
+2a0f:fc80::9 zero.dns0.eu
+2a0f:fc81::9 zero.dns0.eu
+
+# DNS0 Kids
+193.110.81.1 kids.dns0.eu
+185.253.5.1 kids.dns0.eu
+2a0f:fc80::1 kids.dns0.eu
+2a0f:fc81::1 kids.dns0.eu
+
+# DNS0 Open
+193.110.81.254 open.dns0.eu
+185.253.5.254 open.dns0.eu
+2a0f:fc80::ffff open.dns0.eu
+2a0f:fc81::ffff open.dns0.eu
+
+# Cloudflare
+1.1.1.1 cloudflare-dns.com one.one.one.one
+1.0.0.1 cloudflare-dns.com one.one.one.one
+2606:4700:4700::1111 cloudflare-dns.com one.one.one.one
+2606:4700:4700::1001 cloudflare-dns.com one.one.one.one
+
+1.1.1.2 security.cloudflare-dns.com
+1.0.0.2 security.cloudflare-dns.com
+2606:4700:4700::1112 security.cloudflare-dns.com
+2606:4700:4700::1002 security.cloudflare-dns.com
+
+# Mullvad ad, tracker & malware block
+194.242.2.4 base.dns.mullvad.net
+2a07:e340::4 base.dns.mullvad.net
+
+# AdGuard Default
+94.140.14.14 dns.adguard-dns.com
+94.140.15.15 dns.adguard-dns.com
+2a10:50c0::ad1:ff dns.adguard-dns.com
+2a10:50c0::ad2:ff dns.adguard-dns.com
+
+# Google DNS
+8.8.8.8 dns.google dns.google.com
+8.8.4.4 dns.google dns.google.com
+2001:4860:4860::8888 dns.google dns.google.com
+2001:4860:4860::8844 dns.google dns.google.com
+
+# Google DNS64
+2001:4860:4860::6464 dns64.dns.google
+2001:4860:4860::64 dns64.dns.google
+
+##### END DNS RESOLVER LIST #####

etc/hosts/hosts.fedora

@@ -0,0 +1,7 @@
+# Loopback entries; do not change.
+# For historical reasons, localhost precedes localhost.localdomain:
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+# See hosts(5) for proper format and other examples:
+# 192.168.1.10 foo.example.org foo
+# 192.168.1.13 bar.example.org bar

etc/resolv.conf

@@ -12,16 +12,17 @@
 nameserver ::1
 nameserver 127.0.0.1
 
-# systemd-resolved
+# systemd-resolved. WARNING: May cause DNS leaks.
 nameserver 127.0.0.53
 
-# randomly utilize both, extended DNS, trust DNSSEC from both
-options rotate edns0 trust-ad
+# rotate = randomly use all
+# edns0 = extended DNS
+# trust-ad DNSSEC answers
+#options rotate edns0 trust-ad
+options edns0 trust-ad
 
 # no sending local domain to upstream whenever NXDOMAIN happens
 search .
-# Attempt to mDNS everything?
-#search .local
 
 # PS. Remove empty lines and comments if this ends up in /etc/resolv.conf
 # PPS. The traditional spell is:

etc/systemd/network/10-ether.network

@@ -10,6 +10,8 @@ Type=ether
 RequiredForOnline=false
 # Takes "ipv4", "ipv6", "both", or "any" (default).
 RequiredFamilyForOnline=both
+# If something else (like NetworkManager) manages network, uncomment
+#Unmanaged=true
 # Always set administrative state to up. Implies RequiredForOnline=true
 #ActivationPolicy=always-up
 # Required for mDNS
@@ -22,16 +24,15 @@ Address=192.168.0.2/24
 Gateway=192.168.0.1
 IPv6PrivacyExtensions=true
 IPv6LinkLocalAddressGenerationMode=stable-privacy
-# DNS has no effect unless systemd-resolved is used. Why would it be used?
 # systemctl enable systemd-resolved && systemctl start systemd-resolved
 # ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
-#DNS=127.0.0.1
-#DNS=::1
-#DNS=8.8.4.4
-#DNSSEC=true
-#DNSSEC=allow-downgrade
-#DNSOverTLS=true
+DNS=
+DNS=::1
+DNS=127.0.0.1
+DNS=127.0.0.53
+DNSSEC=true
 #DNSOverTLS=opportunistic
+DNSOverTLS=true
 # Search domains
 Domains=.
 # Enable systemd-timesyncd with `timedatectl set-ntp true`, may be specified

etc/systemd/network/10-none.network

@@ -0,0 +1,20 @@
+# Yggdrasil appears as type none
+[Match]
+Type=none
+
+[Link]
+Unmanaged=true
+Multicast=false
+
+[Network]
+IPv6PrivacyExtensions=true
+IPv6LinkLocalAddressGenerationMode=stable-privacy
+Domains=.
+MulticastDNS=false
+LLMNR=false
+DNSSEC=true
+DNSOverTLS=opportunistic
+DNS=
+DNS=::1
+DNS=127.0.0.1
+DNS=127.0.0.53

etc/systemd/network/10-wireguard.network

@@ -0,0 +1,19 @@
+[Match]
+Type=wireguard
+
+[Link]
+Unmanaged=true
+Multicast=false
+
+[Network]
+IPv6PrivacyExtensions=true
+IPv6LinkLocalAddressGenerationMode=stable-privacy
+Domains=.
+MulticastDNS=false
+LLMNR=false
+DNSSEC=true
+DNSOverTLS=opportunistic
+DNS=
+DNS=::1
+DNS=127.0.0.1
+DNS=127.0.0.53

etc/systemd/network/10-wlan.network

@@ -19,14 +19,17 @@ Multicast=true
 DHCP=true
 IPv6PrivacyExtensions=true
 IPv6LinkLocalAddressGenerationMode=stable-privacy
+DNS=
+DNS=::1
+DNS=127.0.0.1
+DNS=127.0.0.53
 # Enable mDNS/.local for systemd-resolved
 MulticastDNS=true
 # Windows
 LLMNR=true
 # systemd-resolved configuration
-#DNSSEC=true
-#DNSSEC=allow-downgrade
-#DNSOverTLS=true
+DNSSEC=true
 #DNSOverTLS=opportunistic
+DNSOverTLS=true
 # Search domains
 Domains=.

etc/systemd/resolved.conf.d/00-defaults.conf

@@ -0,0 +1,24 @@
+[Resolve]
+# Don't trust upstream to verify DNSSEC, even if was encrypted.
+# https://notes.valdikss.org.ru/jabber.ru-mitm/
+# BREAKAGE WARNING for everything else than DNSSEC=false !
+# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
+# PRIVACY WARNING! systemd-networkd/links may override this.
+DNSSEC=true
+# Take the risk of downgrade attacks. Web browser policies enforce
+# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
+# it.
+#DNSOverTLS=opportunistic
+DNSOverTLS=true
+Cache=true
+# Consider local DNS servers if they exist. Empty should erase previous values.
+DNS=
+DNS=127.0.0.1
+DNS=::1
+Domains=~.
+# .local domains
+MulticastDNS=true
+# Microsoft Windows compatibility?
+LLMNR=true
+
+# vim: filetype=systemd

etc/systemd/resolved.conf.d/00-no-local-resolver.conf

@@ -1,19 +0,0 @@
-[Resolve]
-# Use this together with other files other than 00-only-local-resolver.conf!
-# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
-#DNSSEC=allow-downgrade
-# Regardless of the above DNS breaking issues when DNSSEC is
-# enabled/opportunistic, it provides authentication which is important. TLS
-# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
-DNSSEC=true
-DNSOverTLS=opportunistic
-Cache=true
-#DNS=127.0.0.1
-#DNS=::1
-Domains=~.
-# .local domains
-MulticastDNS=true
-# Microsoft Windows compatibility?
-LLMNR=true
-
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/00-only-local-resolver.conf

@@ -1,14 +0,0 @@
-[Resolve]
-# All this is done by Unbound. Don't use other files together with this one.
-DNSSEC=false
-DNSOverTLS=false
-Cache=false
-DNS=127.0.0.1
-DNS=::1
-Domains=~.
-# .local domains
-MulticastDNS=true
-# Microsoft Windows compatibility?
-LLMNR=true
-
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/README.md

@@ -26,19 +26,15 @@ sudo systemctl restart systemd-resolved
 
 ## Files explained
 
-- `00-no-local-resolver.conf` - configuration that should be used everywhere.
+- `00-defaults.conf` - configuration that should be used everywhere.
   Enables DNSSEC (regardless of systemd-resolved not handling it properly),
   enables opportunistic DoT, caching and local DNS servers (because they
   should exist anyway as I don't trust systemd-resolved entirely. Anyway if
   there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
-  - To rephrase, this is sto be used together with other files, especially
+  - To rephrase, this is to be used together with other files, especially
     some of those beginning with `dot-`.
-- `00-only-local-resolver.conf` - for when there is known local resolver.
-  **_Don't combine this with the other files._**
-- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
-  captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
-  should be used in addition to `00-defaults.conf`
-- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
+- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
+  At least one of these should be used in addition to `00-defaults.conf`
 - `README.md` - you are reading it right now.
 
 ## General commentary

etc/systemd/resolved.conf.d/nordvpn.conf

@@ -1,5 +0,0 @@
-[Resolve]
-DNS=2400:bb40:4444::103 2400:bb40:8888::103
-DNS=103.86.96.100 103.86.99.100
-
-# vim: filetype=systemd