Mikaela/shell-things
1
0
Fork 0
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git synced 2025-01-09 11:52:31 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: Mikaela:6e77c77aa766ba0a7ee7c9c1ab40da407ba6f995
Branches Tags
Mikaela:cxefa
...
compare: Mikaela:82ef806e9f5dc5233705cc0655a56543ee97eab9
Branches Tags
Mikaela:cxefa

5 Commits
6e77c77aa7 ... 82ef806e9f

Author SHA1 Message Date
Aminda Suomalainen
82ef806e9f
systemd-resolved README: add quickstart, remove extra h-levels 2022-03-28 20:43:03 +03:00
Aminda Suomalainen
17da76e484
systemd/resolved/README.md: add the ArchWiki DNSSEC issue links 2022-03-28 20:37:37 +03:00
Aminda Suomalainen
f55c00dae6
systemd/resolved/README.md: add missing word, improve formatting 2022-03-28 20:36:11 +03:00
Aminda Suomalainen
8c532e3ef8
etc…resolved…: add/clarify links in/to comments 
Courtesy of https://wiki.archlinux.org/title/Systemd-resolved#DNSSEC
 2022-03-28 20:34:37 +03:00
Aminda Suomalainen
d47c374706
etc/ststemd/resolved…: aggressive cleanup/rewriting 2022-03-28 20:28:17 +03:00
20 changed files with 62 additions and 103 deletions
Show Stats Expand all files Collapse all files

6
etc/systemd/resolved.conf.d/00-defaults.conf Normal file
View File

@ -0,0 +1,6 @@
[Resolve]
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
#DNSSEC=allow-downgrade
DNSSEC=no
DNSOverTLS=opportunistic
Cache=yes

6
etc/systemd/resolved.conf.d/00-everywhere.conf
View File

@ -1,6 +0,0 @@
# Config file to attempt DNSSEC and DoT everywhere, regardless of tech
# skill
[Resolve]
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=true

32
etc/systemd/resolved.conf.d/README.md
View File

@ -1,19 +1,24 @@
## systemd-resolved additional config files
# systemd-resolved additional config files
### Files explained
## Quickstart
* 00-everywhere.conf - configuration that doesn't affect DNS servers, attempts
to use DNSSEC and DoT and if it fails, doesn't care and uses insecure
configuration.
* quad9-compat.conf - non-tech person config for Quad9, same as above except
specifies the server.
* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9
* README.md - you are reading it right now.
```bash
sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved
```
### General commentary
## Files explained
I have moved duplicate comments to this file, so it will possibly look weird
or miss original context.
* `00-defaults.conf` - configuration not touching resolvers. Disables DNSSEC (as
systemd-resolved doesn't handle it properly), enables opportunistic DoT and
caching.
* `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
captive portals are a concern, `DNSOverTLS=no`.
* `README.md` - you are reading it right now.
## General commentary
* Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
@ -26,11 +31,12 @@ or miss original context.
* DNSSEC may not work if the system is down for a long time and not updated.
Thus `allow-downgrade` may be better for non-tech people, even with the
potential downgrade attack. There are also captive portals, affecting
`DNSOverTLS`. Both take `true` or `false` or their own special option,
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
Other links I have found important and my files are based on:
* https://wiki.archlinux.org/index.php/Systemd-resolved
* Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
* request for strict DOT: https://github.com/systemd/systemd/issues/10755
* vulnerable to MITM: https://github.com/systemd/systemd/issues/9397

14
etc/systemd/resolved.conf.d/adguard-dot.conf
View File

@ -1,14 +0,0 @@
# AdGuard / systemd-resolved. For people who don't panic when DoT doesn't
# work and captive portals attack? See README.md. Also requires not
# panicking if tbe user needs something AdGuard is blocking.
[Resolve]
DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
Domains=~.
# non-tech friendliness in case system down for ages. Also DNSSEC ensures
# the DNS server isn't lying which is a task of adblocking DNS server...
DNSSEC=false
# There is no point of disabling this with adblocking DNS
DNSOverTLS=true
Cache=true
# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html

8
etc/systemd/resolved.conf.d/cloudflare-strict.conf
View File

@ -1,8 +0,0 @@
# Cloudflare / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

7
etc/systemd/resolved.conf.d/dot-adguard.conf Normal file
View File

@ -0,0 +1,7 @@
[Resolve]
DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
Domains=~.
DNSOverTLS=yes
Cache=yes
# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html

5
etc/systemd/resolved.conf.d/dot-cloudflare.conf Normal file
View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
Domains=~.
DNSOverTLS=yes
Cache=yes

8
etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
View File

@ -1,8 +0,0 @@
[Resolve]
DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
Domains=~.
# non-tech friendliness in case system down for ages. Also DNSSEC ensures
# the DNS server isn't lying which is a task of adblocking DNS server...
DNSSEC=false
DNSOverTLS=true
Cache=true

5
etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf Normal file
View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
Domains=~.
DNSOverTLS=yes
Cache=yes

5
etc/systemd/resolved.conf.d/dot-mullvad-strict.conf → etc/systemd/resolved.conf.d/dot-mullvad.conf
View File

@ -1,6 +1,5 @@
[Resolve]
DNS=2a07:e340::2#doh.mullvad.net 194.242.2.2#doh.mullvad.net 193.19.108.2#doh.mullvad.net
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true
DNSOverTLS=yes
Cache=yes

6
etc/systemd/resolved.conf.d/nextdns-compat.conf → etc/systemd/resolved.conf.d/dot-nextdns.conf
View File

@ -1,7 +1,5 @@
# NextDNS / systemd-resolved. For non-tech people? See README.md
[Resolve]
2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
Domains=~.
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=true
DNSOverTLS=yes
Cache=yes

5
etc/systemd/resolved.conf.d/dot-quad9-ecs.conf Normal file
View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
Domains=~.
DNSOverTLS=yes
Cache=yes

6
etc/systemd/resolved.conf.d/quad9-compat.conf → etc/systemd/resolved.conf.d/dot-quad9.conf
View File

@ -1,7 +1,5 @@
# Quad9 / systemd-resolved. For non-tech people? See README.md
[Resolve]
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=true
DNSOverTLS=yes
Cache=yes

5
etc/systemd/resolved.conf.d/dot-snopyta.conf Normal file
View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
Domains=~.
DNSOverTLS=yes
Cache=yes

8
etc/systemd/resolved.conf.d/nextdns-strict.conf
View File

@ -1,8 +0,0 @@
# NextDNS / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

7
etc/systemd/resolved.conf.d/quad9-ecs-compat.conf
View File

@ -1,7 +0,0 @@
# Quad9 with client subnet / systemd-resolved. For non-tech people? See README.md
[Resolve]
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
Domains=~.
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=true

8
etc/systemd/resolved.conf.d/quad9-ecs-strict.conf
View File

@ -1,8 +0,0 @@
# Quad9 with client subnet / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

8
etc/systemd/resolved.conf.d/quad9-strict.conf
View File

@ -1,8 +0,0 @@
# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

8
etc/systemd/resolved.conf.d/snopyta-strict.conf
View File

@ -1,8 +0,0 @@
# Snopyta / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

8
etc/systemd/resolved.conf.d/unbound.conf
View File

@ -3,9 +3,9 @@
DNS=127.0.0.1
DNS=::1
Domains=~.
# Done better by Unbound, no failed-auxillary
DNSSEC=false
# Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867)
DNSSEC=no
# Not needed on localhost
DNSOverTLS=false
DNSOverTLS=no
# Done by Unbound
Cache=false
Cache=no