Compare commits

...

5 Commits

20 changed files with 62 additions and 103 deletions

View File

@ -0,0 +1,6 @@
[Resolve]
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
#DNSSEC=allow-downgrade
DNSSEC=no
DNSOverTLS=opportunistic
Cache=yes

View File

@ -1,6 +0,0 @@
# Config file to attempt DNSSEC and DoT everywhere, regardless of tech
# skill
[Resolve]
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=true

View File

@ -1,19 +1,24 @@
## systemd-resolved additional config files # systemd-resolved additional config files
### Files explained ## Quickstart
* 00-everywhere.conf - configuration that doesn't affect DNS servers, attempts ```bash
to use DNSSEC and DoT and if it fails, doesn't care and uses insecure sudo systemctl enable --now systemd-resolved.service
configuration. sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
* quad9-compat.conf - non-tech person config for Quad9, same as above except # After changing configuration
specifies the server. sudo systemctl restart systemd-resolved
* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9 ```
* README.md - you are reading it right now.
### General commentary ## Files explained
I have moved duplicate comments to this file, so it will possibly look weird * `00-defaults.conf` - configuration not touching resolvers. Disables DNSSEC (as
or miss original context. systemd-resolved doesn't handle it properly), enables opportunistic DoT and
caching.
* `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
captive portals are a concern, `DNSOverTLS=no`.
* `README.md` - you are reading it right now.
## General commentary
* Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however * Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
at the time of writing this README.md, the current version is Ubuntu 20.04.0) at the time of writing this README.md, the current version is Ubuntu 20.04.0)
@ -26,11 +31,12 @@ or miss original context.
* DNSSEC may not work if the system is down for a long time and not updated. * DNSSEC may not work if the system is down for a long time and not updated.
Thus `allow-downgrade` may be better for non-tech people, even with the Thus `allow-downgrade` may be better for non-tech people, even with the
potential downgrade attack. There are also captive portals, affecting potential downgrade attack. There are also captive portals, affecting
`DNSOverTLS`. Both take `true` or `false` or their own special option, `DNSOverTLS`. Both take `yes` or `no` or their own special option,
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
Other links I have found important and my files are based on: Other links I have found important and my files are based on:
* https://wiki.archlinux.org/index.php/Systemd-resolved * https://wiki.archlinux.org/index.php/Systemd-resolved
* Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
* request for strict DOT: https://github.com/systemd/systemd/issues/10755 * request for strict DOT: https://github.com/systemd/systemd/issues/10755
* vulnerable to MITM: https://github.com/systemd/systemd/issues/9397 * vulnerable to MITM: https://github.com/systemd/systemd/issues/9397

View File

@ -1,14 +0,0 @@
# AdGuard / systemd-resolved. For people who don't panic when DoT doesn't
# work and captive portals attack? See README.md. Also requires not
# panicking if tbe user needs something AdGuard is blocking.
[Resolve]
DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
Domains=~.
# non-tech friendliness in case system down for ages. Also DNSSEC ensures
# the DNS server isn't lying which is a task of adblocking DNS server...
DNSSEC=false
# There is no point of disabling this with adblocking DNS
DNSOverTLS=true
Cache=true
# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html

View File

@ -1,8 +0,0 @@
# Cloudflare / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

View File

@ -0,0 +1,7 @@
[Resolve]
DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
Domains=~.
DNSOverTLS=yes
Cache=yes
# Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html

View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
Domains=~.
DNSOverTLS=yes
Cache=yes

View File

@ -1,8 +0,0 @@
[Resolve]
DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
Domains=~.
# non-tech friendliness in case system down for ages. Also DNSSEC ensures
# the DNS server isn't lying which is a task of adblocking DNS server...
DNSSEC=false
DNSOverTLS=true
Cache=true

View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
Domains=~.
DNSOverTLS=yes
Cache=yes

View File

@ -1,6 +1,5 @@
[Resolve] [Resolve]
DNS=2a07:e340::2#doh.mullvad.net 194.242.2.2#doh.mullvad.net 193.19.108.2#doh.mullvad.net DNS=2a07:e340::2#doh.mullvad.net 194.242.2.2#doh.mullvad.net 193.19.108.2#doh.mullvad.net
Domains=~. Domains=~.
DNSSEC=true DNSOverTLS=yes
DNSOverTLS=true Cache=yes
Cache=true

View File

@ -1,7 +1,5 @@
# NextDNS / systemd-resolved. For non-tech people? See README.md
[Resolve] [Resolve]
2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io 2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
Domains=~. Domains=~.
DNSSEC=allow-downgrade DNSOverTLS=yes
DNSOverTLS=opportunistic Cache=yes
Cache=true

View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
Domains=~.
DNSOverTLS=yes
Cache=yes

View File

@ -1,7 +1,5 @@
# Quad9 / systemd-resolved. For non-tech people? See README.md
[Resolve] [Resolve]
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
Domains=~. Domains=~.
DNSSEC=allow-downgrade DNSOverTLS=yes
DNSOverTLS=opportunistic Cache=yes
Cache=true

View File

@ -0,0 +1,5 @@
[Resolve]
DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
Domains=~.
DNSOverTLS=yes
Cache=yes

View File

@ -1,8 +0,0 @@
# NextDNS / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

View File

@ -1,7 +0,0 @@
# Quad9 with client subnet / systemd-resolved. For non-tech people? See README.md
[Resolve]
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
Domains=~.
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
Cache=true

View File

@ -1,8 +0,0 @@
# Quad9 with client subnet / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

View File

@ -1,8 +0,0 @@
# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

View File

@ -1,8 +0,0 @@
# Snopyta / systemd-resolved. For people who don't panic when DNSSEC or
# DoT doesn't work and captive portals attack? See README.md
[Resolve]
DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
Domains=~.
DNSSEC=true
DNSOverTLS=true
Cache=true

View File

@ -3,9 +3,9 @@
DNS=127.0.0.1 DNS=127.0.0.1
DNS=::1 DNS=::1
Domains=~. Domains=~.
# Done better by Unbound, no failed-auxillary # Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867)
DNSSEC=false DNSSEC=no
# Not needed on localhost # Not needed on localhost
DNSOverTLS=false DNSOverTLS=no
# Done by Unbound # Done by Unbound
Cache=false Cache=no