Compare commits
14 Commits
44b6e5b618
...
f41e80d66a
Author | SHA1 | Date |
---|---|---|
Aminda Suomalainen | f41e80d66a | |
Aminda Suomalainen | 97c2e74220 | |
Aminda Suomalainen | 4560e776df | |
Aminda Suomalainen | 886b8dbfbd | |
Aminda Suomalainen | 4acd22dc37 | |
Aminda Suomalainen | 6ea0a570dd | |
Aminda Suomalainen | dea732d15b | |
Aminda Suomalainen | f976c9a530 | |
Aminda Suomalainen | 895359ff67 | |
Aminda Suomalainen | 903e38f307 | |
Aminda Suomalainen | 7be1800002 | |
Aminda Suomalainen | 3d58aee508 | |
Aminda Suomalainen | e56e5e1909 | |
Aminda Suomalainen | 02c434b81b |
|
@ -0,0 +1,36 @@
|
|||
# `/etc/hosts`
|
||||
|
||||
This file is DNS before DNS and legacy remain which is still used.
|
||||
|
||||
<!-- editorconfig-checker-disable -->
|
||||
<!-- prettier-ignore-start -->
|
||||
|
||||
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
|
||||
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
|
||||
|
||||
- [dns](#dns)
|
||||
- [`hosts.fedora`](#hostsfedora)
|
||||
- [`hosts.debian`](#hostsdebian)
|
||||
|
||||
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
|
||||
|
||||
<!-- prettier-ignore-end -->
|
||||
<!-- editorconfig-checker-enable -->
|
||||
|
||||
## dns
|
||||
|
||||
This began from question why should I have DNS to have DNS, but having it
|
||||
on DNS resolver level broke DNSSEC due to my weird mixing of systemd-resolved
|
||||
and Unbound, so now it's something I can attempt to `/etc/hosts`.
|
||||
|
||||
**_EXCERCISE CAUTION!_**
|
||||
|
||||
## `hosts.fedora`
|
||||
|
||||
I am pretty sure this is the `/etc/hosts` that was given me by Fedora < 40
|
||||
with changes removed.
|
||||
|
||||
## `hosts.debian`
|
||||
|
||||
I think this is the Debian format which used to be just `../hosts` in this
|
||||
repository.
|
|
@ -0,0 +1,84 @@
|
|||
##### BEGIN DNS RESOLVER LIST #####
|
||||
|
||||
# Well known DNS servers to be appended to /etc/hosts
|
||||
|
||||
# Quad 9 Secure
|
||||
9.9.9.9 dns.quad9.net
|
||||
149.112.112.112 dns.quad9.net
|
||||
2620:fe::fe dns.quad9.net
|
||||
2620:fe::9 dns.quad9.net
|
||||
|
||||
# Quad9 No Threat Blocking
|
||||
9.9.9.10 dns10.quad9.net
|
||||
149.112.112.10 dns10.quad9.net
|
||||
2620:fe::10 dns10.quad9.net
|
||||
2620:fe::fe:10 dns10.quad9.net
|
||||
|
||||
# Quad9 Secure + ECS
|
||||
9.9.9.11 dns11.quad9.net
|
||||
149.112.112.11 dns11.quad9.net
|
||||
2620:fe::11 dns11.quad9.net
|
||||
2620:fe::fe:11 dns11.quad9.net
|
||||
|
||||
# Quad9 No Threat Blocking + ECS
|
||||
9.9.9.12 dns12.quad9.net
|
||||
149.112.112.12 dns12.quad9.net
|
||||
2620:fe::12 dns12.quad9.net
|
||||
2620:fe::fe:12 dns12.quad9.net
|
||||
|
||||
# DNS0 default
|
||||
193.110.81.0 dns0.eu
|
||||
185.253.5.0 dns0.eu
|
||||
2a0f:fc80:: dns0.eu
|
||||
2a0f:fc81:: dns0.eu
|
||||
|
||||
# DNS0 Zero
|
||||
193.110.81.9 zero.dns0.eu
|
||||
185.253.5.9 zero.dns0.eu
|
||||
2a0f:fc80::9 zero.dns0.eu
|
||||
2a0f:fc81::9 zero.dns0.eu
|
||||
|
||||
# DNS0 Kids
|
||||
193.110.81.1 kids.dns0.eu
|
||||
185.253.5.1 kids.dns0.eu
|
||||
2a0f:fc80::1 kids.dns0.eu
|
||||
2a0f:fc81::1 kids.dns0.eu
|
||||
|
||||
# DNS0 Open
|
||||
193.110.81.254 open.dns0.eu
|
||||
185.253.5.254 open.dns0.eu
|
||||
2a0f:fc80::ffff open.dns0.eu
|
||||
2a0f:fc81::ffff open.dns0.eu
|
||||
|
||||
# Cloudflare
|
||||
1.1.1.1 cloudflare-dns.com one.one.one.one
|
||||
1.0.0.1 cloudflare-dns.com one.one.one.one
|
||||
2606:4700:4700::1111 cloudflare-dns.com one.one.one.one
|
||||
2606:4700:4700::1001 cloudflare-dns.com one.one.one.one
|
||||
|
||||
1.1.1.2 security.cloudflare-dns.com
|
||||
1.0.0.2 security.cloudflare-dns.com
|
||||
2606:4700:4700::1112 security.cloudflare-dns.com
|
||||
2606:4700:4700::1002 security.cloudflare-dns.com
|
||||
|
||||
# Mullvad ad, tracker & malware block
|
||||
194.242.2.4 base.dns.mullvad.net
|
||||
2a07:e340::4 base.dns.mullvad.net
|
||||
|
||||
# AdGuard Default
|
||||
94.140.14.14 dns.adguard-dns.com
|
||||
94.140.15.15 dns.adguard-dns.com
|
||||
2a10:50c0::ad1:ff dns.adguard-dns.com
|
||||
2a10:50c0::ad2:ff dns.adguard-dns.com
|
||||
|
||||
# Google DNS
|
||||
8.8.8.8 dns.google dns.google.com
|
||||
8.8.4.4 dns.google dns.google.com
|
||||
2001:4860:4860::8888 dns.google dns.google.com
|
||||
2001:4860:4860::8844 dns.google dns.google.com
|
||||
|
||||
# Google DNS64
|
||||
2001:4860:4860::6464 dns64.dns.google
|
||||
2001:4860:4860::64 dns64.dns.google
|
||||
|
||||
##### END DNS RESOLVER LIST #####
|
|
@ -0,0 +1,7 @@
|
|||
# Loopback entries; do not change.
|
||||
# For historical reasons, localhost precedes localhost.localdomain:
|
||||
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
|
||||
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
|
||||
# See hosts(5) for proper format and other examples:
|
||||
# 192.168.1.10 foo.example.org foo
|
||||
# 192.168.1.13 bar.example.org bar
|
|
@ -12,16 +12,17 @@
|
|||
nameserver ::1
|
||||
nameserver 127.0.0.1
|
||||
|
||||
# systemd-resolved
|
||||
# systemd-resolved. WARNING: May cause DNS leaks.
|
||||
nameserver 127.0.0.53
|
||||
|
||||
# randomly utilize both, extended DNS, trust DNSSEC from both
|
||||
options rotate edns0 trust-ad
|
||||
# rotate = randomly use all
|
||||
# edns0 = extended DNS
|
||||
# trust-ad DNSSEC answers
|
||||
#options rotate edns0 trust-ad
|
||||
options edns0 trust-ad
|
||||
|
||||
# no sending local domain to upstream whenever NXDOMAIN happens
|
||||
search .
|
||||
# Attempt to mDNS everything?
|
||||
#search .local
|
||||
|
||||
# PS. Remove empty lines and comments if this ends up in /etc/resolv.conf
|
||||
# PPS. The traditional spell is:
|
||||
|
|
|
@ -10,6 +10,8 @@ Type=ether
|
|||
RequiredForOnline=false
|
||||
# Takes "ipv4", "ipv6", "both", or "any" (default).
|
||||
RequiredFamilyForOnline=both
|
||||
# If something else (like NetworkManager) manages network, uncomment
|
||||
#Unmanaged=true
|
||||
# Always set administrative state to up. Implies RequiredForOnline=true
|
||||
#ActivationPolicy=always-up
|
||||
# Required for mDNS
|
||||
|
@ -22,16 +24,15 @@ Address=192.168.0.2/24
|
|||
Gateway=192.168.0.1
|
||||
IPv6PrivacyExtensions=true
|
||||
IPv6LinkLocalAddressGenerationMode=stable-privacy
|
||||
# DNS has no effect unless systemd-resolved is used. Why would it be used?
|
||||
# systemctl enable systemd-resolved && systemctl start systemd-resolved
|
||||
# ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
|
||||
#DNS=127.0.0.1
|
||||
#DNS=::1
|
||||
#DNS=8.8.4.4
|
||||
#DNSSEC=true
|
||||
#DNSSEC=allow-downgrade
|
||||
#DNSOverTLS=true
|
||||
DNS=
|
||||
DNS=::1
|
||||
DNS=127.0.0.1
|
||||
DNS=127.0.0.53
|
||||
DNSSEC=true
|
||||
#DNSOverTLS=opportunistic
|
||||
DNSOverTLS=true
|
||||
# Search domains
|
||||
Domains=.
|
||||
# Enable systemd-timesyncd with `timedatectl set-ntp true`, may be specified
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
# Yggdrasil appears as type none
|
||||
[Match]
|
||||
Type=none
|
||||
|
||||
[Link]
|
||||
Unmanaged=true
|
||||
Multicast=false
|
||||
|
||||
[Network]
|
||||
IPv6PrivacyExtensions=true
|
||||
IPv6LinkLocalAddressGenerationMode=stable-privacy
|
||||
Domains=.
|
||||
MulticastDNS=false
|
||||
LLMNR=false
|
||||
DNSSEC=true
|
||||
DNSOverTLS=opportunistic
|
||||
DNS=
|
||||
DNS=::1
|
||||
DNS=127.0.0.1
|
||||
DNS=127.0.0.53
|
|
@ -0,0 +1,19 @@
|
|||
[Match]
|
||||
Type=wireguard
|
||||
|
||||
[Link]
|
||||
Unmanaged=true
|
||||
Multicast=false
|
||||
|
||||
[Network]
|
||||
IPv6PrivacyExtensions=true
|
||||
IPv6LinkLocalAddressGenerationMode=stable-privacy
|
||||
Domains=.
|
||||
MulticastDNS=false
|
||||
LLMNR=false
|
||||
DNSSEC=true
|
||||
DNSOverTLS=opportunistic
|
||||
DNS=
|
||||
DNS=::1
|
||||
DNS=127.0.0.1
|
||||
DNS=127.0.0.53
|
|
@ -19,14 +19,17 @@ Multicast=true
|
|||
DHCP=true
|
||||
IPv6PrivacyExtensions=true
|
||||
IPv6LinkLocalAddressGenerationMode=stable-privacy
|
||||
DNS=
|
||||
DNS=::1
|
||||
DNS=127.0.0.1
|
||||
DNS=127.0.0.53
|
||||
# Enable mDNS/.local for systemd-resolved
|
||||
MulticastDNS=true
|
||||
# Windows
|
||||
LLMNR=true
|
||||
# systemd-resolved configuration
|
||||
#DNSSEC=true
|
||||
#DNSSEC=allow-downgrade
|
||||
#DNSOverTLS=true
|
||||
DNSSEC=true
|
||||
#DNSOverTLS=opportunistic
|
||||
DNSOverTLS=true
|
||||
# Search domains
|
||||
Domains=.
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
[Resolve]
|
||||
# Don't trust upstream to verify DNSSEC, even if was encrypted.
|
||||
# https://notes.valdikss.org.ru/jabber.ru-mitm/
|
||||
# BREAKAGE WARNING for everything else than DNSSEC=false !
|
||||
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
# PRIVACY WARNING! systemd-networkd/links may override this.
|
||||
DNSSEC=true
|
||||
# Take the risk of downgrade attacks. Web browser policies enforce
|
||||
# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
|
||||
# it.
|
||||
#DNSOverTLS=opportunistic
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
||||
# Consider local DNS servers if they exist. Empty should erase previous values.
|
||||
DNS=
|
||||
DNS=127.0.0.1
|
||||
DNS=::1
|
||||
Domains=~.
|
||||
# .local domains
|
||||
MulticastDNS=true
|
||||
# Microsoft Windows compatibility?
|
||||
LLMNR=true
|
||||
|
||||
# vim: filetype=systemd
|
|
@ -1,19 +0,0 @@
|
|||
[Resolve]
|
||||
# Use this together with other files other than 00-only-local-resolver.conf!
|
||||
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
#DNSSEC=allow-downgrade
|
||||
# Regardless of the above DNS breaking issues when DNSSEC is
|
||||
# enabled/opportunistic, it provides authentication which is important. TLS
|
||||
# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
|
||||
DNSSEC=true
|
||||
DNSOverTLS=opportunistic
|
||||
Cache=true
|
||||
#DNS=127.0.0.1
|
||||
#DNS=::1
|
||||
Domains=~.
|
||||
# .local domains
|
||||
MulticastDNS=true
|
||||
# Microsoft Windows compatibility?
|
||||
LLMNR=true
|
||||
|
||||
# vim: filetype=systemd
|
|
@ -1,14 +0,0 @@
|
|||
[Resolve]
|
||||
# All this is done by Unbound. Don't use other files together with this one.
|
||||
DNSSEC=false
|
||||
DNSOverTLS=false
|
||||
Cache=false
|
||||
DNS=127.0.0.1
|
||||
DNS=::1
|
||||
Domains=~.
|
||||
# .local domains
|
||||
MulticastDNS=true
|
||||
# Microsoft Windows compatibility?
|
||||
LLMNR=true
|
||||
|
||||
# vim: filetype=systemd
|
|
@ -26,19 +26,15 @@ sudo systemctl restart systemd-resolved
|
|||
|
||||
## Files explained
|
||||
|
||||
- `00-no-local-resolver.conf` - configuration that should be used everywhere.
|
||||
- `00-defaults.conf` - configuration that should be used everywhere.
|
||||
Enables DNSSEC (regardless of systemd-resolved not handling it properly),
|
||||
enables opportunistic DoT, caching and local DNS servers (because they
|
||||
should exist anyway as I don't trust systemd-resolved entirely. Anyway if
|
||||
there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
|
||||
- To rephrase, this is sto be used together with other files, especially
|
||||
- To rephrase, this is to be used together with other files, especially
|
||||
some of those beginning with `dot-`.
|
||||
- `00-only-local-resolver.conf` - for when there is known local resolver.
|
||||
**_Don't combine this with the other files._**
|
||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
|
||||
captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
|
||||
should be used in addition to `00-defaults.conf`
|
||||
- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
|
||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
|
||||
At least one of these should be used in addition to `00-defaults.conf`
|
||||
- `README.md` - you are reading it right now.
|
||||
|
||||
## General commentary
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
[Resolve]
|
||||
DNS=2400:bb40:4444::103 2400:bb40:8888::103
|
||||
DNS=103.86.96.100 103.86.99.100
|
||||
|
||||
# vim: filetype=systemd
|
Loading…
Reference in New Issue