Mikaela
/
shell-things
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: Mikaela:7379241a201449279111470fc8cc6262b99666e3
Branches Tags
Mikaela:master
...
compare: Mikaela:c90b551ac4bc3cba387dc510bebbff23b50623b2
Branches Tags
Mikaela:master

3 Commits
7379241a20 ... c90b551ac4

Author SHA1 Message Date
Aminda Suomalainen c90b551ac4
chromium: merge doh-forced to the doh files due to it being required anyway, update documentation, rename doh-allowed → doh-unlocked-unset 2024-04-21 14:00:39 +03:00
Aminda Suomalainen 4a47d14069
resolved.conf.d: add dot-trex.conf symlink and explaining comments like in unbound 2024-04-21 13:14:53 +03:00
Aminda Suomalainen ce9159e756
unbound/dot-quad9.conf: prettier sorting 2024-04-21 13:13:41 +03:00
17 changed files with 43 additions and 39 deletions
Show Stats Expand all files Collapse all files

38
etc/opt/chromium/policies/managed/README.md
View File

@ -37,9 +37,8 @@
- [`disable-floc.json`](#disable-flocjson)
- [`disable-incognito.json`](#disable-incognitojson)
- [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
- [`doh-allowed.json`](#doh-allowedjson)
- [`doh-unlocked-unset.json`](#doh-unlocked-unsetjson)
- [`doh-dns0.json`](#doh-dns0json)
- [`doh-forced.json`](#doh-forcedjson)
- [`doh-mullvad-base.json`](#doh-mullvad-basejson)
- [`doh-quad9-ecs.json`](#doh-quad9-ecsjson)
- [`doh-quad9-insecure-ecs.json`](#doh-quad9-insecure-ecsjson)
@ -254,58 +253,51 @@ Disables incognito mode. I don't recommend this.
## `doh-cloudflare-secure.json`
Sets Cloudflare with malware protection as the DNS-over-HTTPS server.
Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server.
## `doh-allowed.json`
## `doh-unlocked-unset.json`
If no DNS over HTTPS policy is used, this unlocks the setting while still allowing downgrade to system DNS
(think of DoT opportunistic mode, kind of?). Enabling managed policies disable it by default.
If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
Incompatible with `doh-forced.json`. This must be used together with any other `doh-*.json` file, but only one of them.
Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`.
**_No ECH._**
**_This also causes there to not be ECH._**
## `doh-dns0.json`
Simply enables DNS-over-HTTPS with DNS0.eu.
## `doh-forced.json`
Enforces use of DNS-over-HTTPS disabling the downgrade.
Incompatible with `doh-allowed.json`. Use this together with any other `doh-*.json` file, but only one of them.
**_Required for ECH._**
Simply forces DNS-over-HTTPS with DNS0.eu.
## `doh-mullvad-base.json`
Enables DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
- https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications
## `doh-quad9-ecs.json`
Enables DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
their alternative port.
## `doh-quad9-insecure-ecs.json`
Enables DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
Forces DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
their alternative port. **No DNSSEC either.**
## `doh-quad9-insecure.json`
Enables DNS over HTTPS with Quad9 unfiltered server and also contains
Forces DNS over HTTPS with Quad9 unfiltered server and also contains
their alternative port. **No DNSSEC either.**
## `doh-quad9.json`
Enables DNS over HTTPS with Quad9 threat-blocking server and also contains
Forces DNS over HTTPS with Quad9 threat-blocking server and also contains
their alternative port.
## `enable-ech-ocsp.json`
Enables encrypted client hello and OCSP (or CRL?) checks.
Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.
However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver.
## `enable-labs.json`

1
etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://security.cloudflare-dns.com/dns-query"
}

1
etc/opt/chromium/policies/managed/doh-dns0-kids.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://kids.dns0.eu/"
}

1
etc/opt/chromium/policies/managed/doh-dns0-open.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://open.dns0.eu/"
}

1
etc/opt/chromium/policies/managed/doh-dns0-zero.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://zero.dns0.eu/"
}

1
etc/opt/chromium/policies/managed/doh-dns0.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://dns0.eu/"
}

3
etc/opt/chromium/policies/managed/doh-forced.json
View File

@ -1,3 +0,0 @@
{
"DnsOverHttpsMode": "secure"
}

1
etc/opt/chromium/policies/managed/doh-mullvad-base.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://base.dns.mullvad.net/dns-query"
}

1
etc/opt/chromium/policies/managed/doh-quad9-ecs.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://dns11.quad9.net/dns-query https://dns11.quad9.net:5053/dns-query"
}

1
etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://dns12.quad9.net/dns-query https://dns12.quad9.net:5053/dns-query"
}

1
etc/opt/chromium/policies/managed/doh-quad9-insecure.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://dns10.quad9.net/dns-query https://dns10.quad9.net:5053/dns-query"
}

1
etc/opt/chromium/policies/managed/doh-quad9.json
View File

@ -1,3 +1,4 @@
{
"DnsOverHttpsMode": "secure",
"DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
}

0
etc/opt/chromium/policies/managed/doh-allowed.json → etc/opt/chromium/policies/managed/doh-unlocked-unset.json
View File

1
etc/systemd/resolved.conf.d/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
dot-trex.conf

3
etc/systemd/resolved.conf.d/dot-quad9.conf
View File

@ -1,3 +1,6 @@
# https://docs.quad9.net/services/
# https://www.trex.fi/service/resolvers.html - says they don't provide
# encryption, but host a Quad9 node and giving these addresses instead.
[Resolve]
# Secure
DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net

1
etc/systemd/resolved.conf.d/dot-trex.conf Symbolic link
View File

@ -0,0 +1 @@
dot-quad9.conf

26
etc/unbound/unbound.conf.d/dot-quad9.conf
View File

@ -18,39 +18,39 @@ forward-zone:
forward-tls-upstream: yes
## Secure
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2620:fe::fe@8853#dns.quad9.net
forward-addr: 9.9.9.9@8853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 2620:fe::9@8853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 9.9.9.9@8853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 149.112.112.112@8853#dns.quad9.net
## No Threat Blocking
#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
#forward-addr: 149.112.112.10@853#dns10.quad9.net
#forward-addr: 2620:fe::10@853#dns10.quad9.net
#forward-addr: 9.9.9.10@853#dns10.quad9.net
#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
#forward-addr: 149.112.112.10@853#dns10.quad9.net
#forward-addr: 149.112.112.10@8853#dns10.quad9.net
#forward-addr: 2620:fe::10@853#dns10.quad9.net
#forward-addr: 2620:fe::10@8853#dns10.quad9.net
#forward-addr: 9.9.9.10@853#dns10.quad9.net
#forward-addr: 9.9.9.10@8853#dns10.quad9.net
## Secure + ECS
#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
#forward-addr: 9.9.9.11@853#dns11.quad9.net
#forward-addr: 2620:fe::11@853#dns11.quad9.net
#forward-addr: 149.112.112.11@853#dns11.quad9.net
#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
#forward-addr: 9.9.9.11@853#dns11.quad9.net
#forward-addr: 9.9.9.11@8853#dns11.quad9.net
#forward-addr: 2620:fe::11@853#dns11.quad9.net
#forward-addr: 2620:fe::11@8853#dns11.quad9.net
#forward-addr: 149.112.112.11@853#dns11.quad9.net
#forward-addr: 149.112.112.11@8853#dns11.quad9.net
## No Threat Blocking + ECS
#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
#forward-addr: 9.9.9.12@853#dns12.quad9.net
#forward-addr: 2620:fe::12@853#dns12.quad9.net
#forward-addr: 149.112.112.12@853#dns12.quad9.net
#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
#forward-addr: 9.9.9.12@853#dns12.quad9.net
#forward-addr: 9.9.9.12@8853#dns12.quad9.net
#forward-addr: 2620:fe::12@853#dns12.quad9.net
#forward-addr: 2620:fe::12@8853#dns12.quad9.net
#forward-addr: 149.112.112.12@853#dns12.quad9.net
#forward-addr: 149.112.112.12@8853#dns12.quad9.net
# vim: filetype=unbound.conf