unbound: also disable qname-minimization for DNSo53 forwarders

unbound: move to tls-ystem-cert from tls-cert-bundle & disable qname minimization for DoT forward-zones
Windows/DoH/DohWellKnownServers.reg: add Quad9 10 & 12
2024-04-17 16:03:23 +03:00 · 2024-04-17 16:01:38 +03:00 · 2024-04-17 15:48:13 +03:00 · 2024-04-17 15:43:18 +03:00 · 2024-04-17 15:42:34 +03:00 · 2024-04-17 15:42:08 +03:00
14 changed files with 83 additions and 17 deletions
--- a/Windows/CVE-2018-3639.reg
+++ b/Windows/CVE-2018-3639.reg
@ -1,5 +0,0 @@
-Windows Registry Editor Version 5.00
-
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
-"FeatureSettingsOverride"=dword:00000008
-"FeatureSettingsOverrideMask"=dword:00000003
--- a/Windows/DoH/DohWellKnownServers.reg
+++ b/Windows/DoH/DohWellKnownServers.reg
@ -127,3 +127,27 @@ Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2001:67c:2b0::2]
 "Template"="https://dns.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\9.9.9.10]
+"Template"="https://dns10.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\149.112.112.10]
+"Template"="https://dns10.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::10]
+"Template"="https://dns10.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::fe:10]
+"Template"="https://dns10.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\9.9.9.12]
+"Template"="https://dns12.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\149.112.112.12]
+"Template"="https://dns12.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::12]
+"Template"="https://dns12.quad9.net/dns-query"
+
+[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DohWellKnownServers\2620:fe::fe:12]
+"Template"="https://dns12.quad9.net/dns-query"
--- a/etc/resolv.tsv
+++ b/etc/resolv.tsv
@ -1,7 +1,7 @@
 Provider	DoH	DoT	IPv6	IPv6	IPv4	IPv4	Apple MobileConfig	ECS	Source for EDNS Client Subnet (ECS)
 AdGuard	https://dns.adguard-dns.com/dns-query	dns.adguard-dns.com	2a10:50c0::ad1:ff	2a10:50c0::ad2:ff	94.140.14.14	94.140.15.15	https://adguard-dns.io/public-dns.html	private	https://adguard.com/en/blog/private-dns-v0-3-beta.html
-AdGuard Non-filtering	https://unfiltered.adguard-dns.com/dns-query	unfiltered.adguard-dns.com	2a10:50c0::1:ff	2a10:50c0::2:ff	94.140.14.140	94.140.14.141	https://adguard-dns.io/public-dns.html	private	https://adguard.com/en/blog/private-dns-v0-3-beta.html
 AdGuard Family	https://family.adguard-dns.com/dns-query	family.adguard-dns.com	2a10:50c0::bad1:ff	2a10:50c0::bad2:ff	94.140.14.15	94.140.15.16	https://adguard-dns.io/public-dns.html	private	https://adguard.com/en/blog/private-dns-v0-3-beta.html
+AdGuard Non-filtering	https://unfiltered.adguard-dns.com/dns-query	unfiltered.adguard-dns.com	2a10:50c0::1:ff	2a10:50c0::2:ff	94.140.14.140	94.140.14.141	https://adguard-dns.io/public-dns.html	private	https://adguard.com/en/blog/private-dns-v0-3-beta.html
 Applied Privacy (encrypted only, DoT in ports 443,853)	https://doh.applied-privacy.net/query	dot1.applied-privacy.net	2a02:1b8:10:234::2		146.255.56.98			no	https://applied-privacy.net/services/dns/
 BlahDNS DoH-CDN Adblock	https://doh1.blahdns.com/dns-query							no	https://blahdns.com/
 BlahDNS DoH-CDN Unfiltered	https://doh1.blahdns.com/uncensor							no	https://blahdns.com/
@ -21,14 +21,16 @@ DNS0 Open (unfiltered, discouraged)	https://open.dns0.eu	open.dns0.eu	2a0f:fc80:
 DNS0 Zero	https://zero.dns0.eu	zero.dns0.eu	2a0f:fc80::9	2a0f:fc81::9	193.110.81.9	185.253.5.9	https://www.dns0.eu/zero.dns0.eu.mobileconfig	private	https://www.dns0.eu/privacy
 Google DNS (Android DoH3)	https://dns.google/dns-query	dns.google	2001:4860:4860::8888	2001:4860:4860::8844	8.8.8.8	8.8.4.4		yes	https://developers.google.com/speed/public-dns/docs/ecs
 Google DNS64 (Android DoH3)	https://dns64.dns.google/dns-query	dns64.dns.google	2001:4860:4860::6464	2001:4860:4860::64				probably	https://developers.google.com/speed/public-dns/docs/ecs
-Mullvad Vanilla	https://dns.mullvad.net/dns-query	dns.mullvad.net	2a07:e340::2		194.242.2.2		https://github.com/mullvad/encrypted-dns-profiles	No 2023-03-11	I tested with https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/dns-ecs-debug.bash
 Mullvad Adblock	https://adblock.dns.mullvad.net/dns-query	adblock.dns.mullvad.net	2a07:e340::3		194.242.2.3		https://github.com/mullvad/encrypted-dns-profiles	No 2023-03-11	I tested with https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/dns-ecs-debug.bash
+Mullvad All	https://all.dns.mullvad.net/dns-query	all.dns.mullvad.net	2a07:e340::9		194.242.2.9		https://github.com/mullvad/encrypted-dns-profiles		
 Mullvad Base	https://base.dns.mullvad.net/dns-query	base.dns.mullvad.net	2a07:e340::4		194.242.2.4		https://github.com/mullvad/encrypted-dns-profiles		
 Mullvad Extended	https://extended.dns.mullvad.net/dns-query	extended.dns.mullvad.net	2a07:e340::5		194.242.2.5		https://github.com/mullvad/encrypted-dns-profiles		
-Mullvad All	https://all.dns.mullvad.net/dns-query	all.dns.mullvad.net	2a07:e340::9		194.242.2.9		https://github.com/mullvad/encrypted-dns-profiles		
+Mullvad Vanilla	https://dns.mullvad.net/dns-query	dns.mullvad.net	2a07:e340::2		194.242.2.2		https://github.com/mullvad/encrypted-dns-profiles	No 2023-03-11	I tested with https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/dns-ecs-debug.bash
 NextDNS	https://dns.nextdns.io	dns.nextdns.io	2a07:a8c1::	2a07:a8c0::	45.90.30.0	45.90.28.0	https://apple.nextdns.io/	opt-in, private, upstream whitelist	https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5
 NextDNS Firefox	https://firefox.dns.nextdns.io							no	
 OpenDNS	https://doh.opendns.com/dns-query	dns.opendns.com ? (#127)	2620:119:35::35	2620:119:53::53	208.67.222.222	208.67.220.220		yes, upstream whitelist	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
 OpenDNS Family	https://doh.familyshield.opendns.com/dns-query				208.67.222.123	208.67.220.123		yes, upstream whitelist	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
-Quad9	https://dns.quad9.net/dns-query	dns.quad9.net	2620:fe::fe	2620:fe::9	9.9.9.9	149.112.112.112		no	https://www.quad9.net/support/faq/#edns
-Quad9 ECS	https://dns11.quad9.net/dns-query	dns11.quad9.net	2620:fe::11	2620:fe::fe:11	9.9.9.11	149.112.112.11		yes	https://www.quad9.net/support/faq/#edns
+Quad9 (Secure)	https://dns.quad9.net/dns-query	dns.quad9.net	2620:fe::fe	2620:fe::9	9.9.9.9	149.112.112.112	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	no	https://www.quad9.net/support/faq/#edns
+Quad9-10 (No Threat Blocking)	https://dns10.quad9.net/dns-query	dns10.quad9.net	2620:fe::10	2620:fe::fe:10	9.9.9.10	149.112.112.10	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	no	https://docs.quad9.net/services/
+Quad9-11 (Secure + ECS)	https://dns11.quad9.net/dns-query	dns11.quad9.net	2620:fe::11	2620:fe::fe:11	9.9.9.11	149.112.112.11	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	yes	https://www.quad9.net/support/faq/#edns
+Quad9-12 (No Threat Blocking + ECS)	https://dns12.quad9.net/dns-query	dns12.quad9.net	2620:fe::12	2620:fe::fe:12	9.9.9.12	149.112.112.12	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	yes	https://docs.quad9.net/services/
--- a/etc/systemd/system/firewalld.service.d/.gitignore
+++ b/etc/systemd/system/firewalld.service.d/.gitignore
@ -0,0 +1 @@
+never-fail.conf
--- a/etc/systemd/system/firewalld.service.d/never-fail.conf
+++ b/etc/systemd/system/firewalld.service.d/never-fail.conf
@ -0,0 +1 @@
+../service.d/never-fail.conf
--- a/etc/unbound/unbound.conf.d/00-insecure-domains.conf
+++ b/etc/unbound/unbound.conf.d/00-insecure-domains.conf
@ -6,6 +6,10 @@
 # thanks to Android.

 server:
+# Quad9 says pointless performance impact on forwarders.
+# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+qname-minimisation: no
+
 forward-zone:
 	name: "mywifiext.net"
 	forward-tls-upstream: no
--- a/etc/unbound/unbound.conf.d/dns-over-tls.conf
+++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf
@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no

 # This list is for my travel laptop to have at least one DoT443 server
 # which seems to be applied-privacy.net. They advice having multiple DoT servers
--- a/etc/unbound/unbound.conf.d/dns64-over-tls.conf
+++ b/etc/unbound/unbound.conf.d/dns64-over-tls.conf
@ -3,9 +3,14 @@

 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no

 # Forward queries to
 forward-zone:
--- a/etc/unbound/unbound.conf.d/dot-adguard.conf
+++ b/etc/unbound/unbound.conf.d/dot-adguard.conf
@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no

 forward-zone:
 	name: "."
--- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
@ -7,9 +7,14 @@

 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no

 forward-zone:
 	name: "."
--- a/etc/unbound/unbound.conf.d/dot-dns0.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns0.conf
@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no

 forward-zone:
 	name: "."
--- a/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf
+++ b/etc/unbound/unbound.conf.d/dot-fluhable-cache.conf
@ -3,9 +3,14 @@

 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no

 # DNS servers that have public button for flushing cache. Privacy not considered.

--- a/etc/unbound/unbound.conf.d/dot-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-quad9.conf
@ -1,8 +1,13 @@
 server:
 	# Debian ca-certificates location
-	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no

 forward-zone:
 	name: "."
--- a/etc/unbound/unbound.conf.d/nordvpn.conf
+++ b/etc/unbound/unbound.conf.d/nordvpn.conf
@ -1,4 +1,8 @@
 server:
+# Quad9 says pointless performance impact on forwarders.
+# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+qname-minimisation: no
+
 forward-zone:
 	name: "."
 	forward-tls-upstream: no
Author	SHA1	Message	Date
Aminda Suomalainen	5097076daf	unbound: also disable qname-minimization for DNSo53 forwarders	2024-04-17 16:03:23 +03:00
Aminda Suomalainen	363be56010	unbound: move to tls-ystem-cert from tls-cert-bundle & disable qname minimization for DoT forward-zones	2024-04-17 16:01:38 +03:00
Aminda Suomalainen	6af465359d	Windows/DoH/DohWellKnownServers.reg: add Quad9 10 & 12	2024-04-17 15:48:13 +03:00
Aminda Suomalainen	4e1e55e54c	Windows: rm CVE-2018-3639.reg, it probably shouldn't live here forever	2024-04-17 15:43:18 +03:00
Aminda Suomalainen	bbab2f335d	resolv.tsv: sort	2024-04-17 15:42:34 +03:00
Aminda Suomalainen	9ba083f81f	resolv.tsv: add Quad9 unfiltered variants	2024-04-17 15:42:08 +03:00
Aminda Suomalainen	c18fe92ad8	etc/resolv.tsv: add Quad9 Apple Mobileconfigs	2024-04-17 15:34:43 +03:00
Aminda Suomalainen	f10b151a3b	systemd: add firewalld.service.d/never-fail.conf due to failing to timeout on sedric	2024-04-17 11:38:43 +03:00