2025-08-19 12:47:27 +02:00
17 changed files with 23 additions and 138 deletions
--- a/etc/NetworkManager-resolv.conf-restore.bash
+++ b/etc/NetworkManager-resolv.conf-restore.bash
@ -1,39 +0,0 @@
 #!/usr/bin/env bash
 set -x
 # I learned that not only systemd-resolved does this, but NetworkManager as
 # well. I think it's even less likely I use this than the systemd-resolved
 # one, but anyway
 # I know there are old versions that used something else, but I don't remember
 # that name and they are ancient.
 if ! hash nmcli 2>/dev/null; then
 	echo "You don't seem to have NetworkManager (or nmcli) installed." 1>&2
 	exit 1
 fi
 # Require root or exit
 if [ "$(id -u)" != "0" ]; then
 	echo "This script requires root." 1>&2
 	exit 1
 fi
 # It's pointless to make a dead symlink as it must be running
 systemctl enable --now NetworkManager.service
 # In case I am behind the /etc/resolv.conf, it's immutable and read-only,
 # which won't allow it to be rewritten.
 chattr -V -i /etc/resolv.conf
 chmod -v +w /etc/resolv.conf
 # It must be removed if it's not a symlink
 rm -v /etc/resolv.conf
 # and finally making the symlink
 ln -sfv /var/run/NetworkManager/resolv.conf /etc/resolv.conf
 # Let's just see it's ok
 ls -l /etc/resolv.conf
 cat /etc/resolv.conf
 set +x
--- a/etc/NetworkManager/conf.d/.gitignore
+++ b/etc/NetworkManager/conf.d/.gitignore
@ -1 +1,2 @@
 dns-none.conf
 no-resolvconf.conf
--- a/etc/NetworkManager/conf.d/connectivity.conf
+++ b/etc/NetworkManager/conf.d/connectivity.conf
@ -8,5 +8,3 @@ interval=100
 # sudo apt install network-manager-config-connectivity-debian
 # for /usr/lib/NetworkManager/conf.d/20-connectivity-debian.conf
 # (http://network-test.debian.org/nm without interval)
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/dns-none.conf
+++ b/etc/NetworkManager/conf.d/dns-none.conf
@ -1,8 +0,0 @@
 [main]
 # No managing DNS, no managing resolv.conf (implied made explicit here) and
 # don't push data to systemd-resolved either.
 dns=none
 rc-manager=unmanaged
 systemd-resolved=false
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/dns-none.conf
+++ b/etc/NetworkManager/conf.d/dns-none.conf
@ -0,0 +1 @@
 paws-off-my-resolv.conf
--- a/etc/NetworkManager/conf.d/ipv6privacy.conf
+++ b/etc/NetworkManager/conf.d/ipv6privacy.conf
@ -2,5 +2,3 @@
 [connection]
 # Enable IPv6 privacy extensions, but this doesn't seem to work.
 ipv6.ip6-privacy=2
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/iwd.conf
+++ b/etc/NetworkManager/conf.d/iwd.conf
@ -9,5 +9,3 @@
 [device]
 wifi.backend=iwd
 wifi.iwd.autoconnect=true
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/keyfile.conf
+++ b/etc/NetworkManager/conf.d/keyfile.conf
@ -2,5 +2,3 @@
 # Disable misbehaving NIC
 #unmanaged-devices=mac:xx:xx:xx:xx:xx:xx
 #hostname=HOSTNAME_TO_SEND_TO_DHCPD
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/manage-ifupdown.conf
+++ b/etc/NetworkManager/conf.d/manage-ifupdown.conf
@ -1,5 +1,3 @@
 # Brings /etc/network/interfaces(.d/*) under control of NetworkManager
 [ifupdown]
 managed=true
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/mdns.conf
+++ b/etc/NetworkManager/conf.d/mdns.conf
@ -2,5 +2,3 @@
 [connection]
 connection.mdns=2
 connection.llmnr=2
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/no-mac-randomizing.conf
+++ b/etc/NetworkManager/conf.d/no-mac-randomizing.conf
@ -2,5 +2,3 @@
 # network.
 [device]
 wifi.scan-rand-mac-address=no
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/no-search-domains.conf
+++ b/etc/NetworkManager/conf.d/no-search-domains.conf
@ -1,8 +1,4 @@
 # This should stop search domains from being used and potentially leaking
 # queries to search domain DNS server when they fail
 [global-dns]
-#searches=
+searches=
 # I am doubtful of the above being enough
 searches=.
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/no-systemd-resolved.conf
+++ b/etc/NetworkManager/conf.d/no-systemd-resolved.conf
@ -1,6 +0,0 @@
 [main]
 # Don't tell systemd-resolved DNS information aquired from DHCP.
 systemd-resolved=false
 # NOTE! This file doesn't comment on how resolv.conf (rc) is managed
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/paws-off-my-resolv.conf
+++ b/etc/NetworkManager/conf.d/paws-off-my-resolv.conf
@ -1,8 +1,2 @@
 [main]
-# dns=none would disable all DNS management by NetworkManager, while the goal
+dns=none
 # here is to just not touch my resolv.conf. This implies NetworkManager may
 # still send data to systemd-resolved.
 #dns=none
 rc-manager=unmanaged
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/systemd-resolved.conf
+++ b/etc/NetworkManager/conf.d/systemd-resolved.conf
@ -1,10 +1,2 @@
 [main]
 # Send data to systemd-resolved
 dns=systemd-resolved
 # Even if I use systemd-resolved, I don't want NetworkManager to touch my
 # resolv.conf
 rc-manager=none
 # Implied, but made explicit
 systemd-resolved=true
 # vim: filetype=NetworkManager.conf
--- a/etc/NetworkManager/conf.d/unbound.conf
+++ b/etc/NetworkManager/conf.d/unbound.conf
@ -3,5 +3,3 @@
 # again seems to expect unbound-control-setup to be done/enabled
 [main]
 dns=unbound
 # vim: filetype=NetworkManager.conf
--- a/etc/hosts/blocklist
+++ b/etc/hosts/blocklist
@ -1,14 +1,14 @@
 #
 ##### BEGIN AMINDA BLOCKLIST #####
 # NOTE! systemd-resolved will automatically make ::1 also 127.0.0.1
 # Facebook API that a lot of things call, will break things for Facebook
 # users, so don't apply on hosts those use
-::1 graph.facebook.com
+:: graph.facebook.com
 0.0.0.0 graph.facebook.com
 # Unnecessary service for Matrix rooms. I was dared to block it.
-::1 matrix.to www.matrix.to
+:: matrix.to www.matrix.to
 0.0.0.0 matrix.to www.matrix.to
 ##### END AMINDA BLOCKLIST #####
 #
--- a/etc/hosts/dns
+++ b/etc/hosts/dns
@ -3,11 +3,11 @@
 # Well known DNS servers to be appended to /etc/hosts
-# Quad 9 Recommended (Secure)
+# Quad 9 Secure
-9.9.9.9 dns.quad9.net dns9.quad9.net
+9.9.9.9 dns.quad9.net
-149.112.112.112 dns.quad9.net dns9.quad9.net
+149.112.112.112 dns.quad9.net
-2620:fe::fe dns.quad9.net dns9.quad9.net
+2620:fe::fe dns.quad9.net
-2620:fe::9 dns.quad9.net dns9.quad9.net
+2620:fe::9 dns.quad9.net
 # Quad9 No Threat Blocking
 9.9.9.10 dns10.quad9.net
@ -30,50 +30,26 @@
 # DNS0 default
 193.110.81.0 dns0.eu
 185.253.5.0 dns0.eu
-# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
+2a0f:fc80:: dns0.eu
-# other side of the country at best and different country at worst. Thus
+2a0f:fc81:: dns0.eu
 # attempt to make everything only use it for IPv4 (browser fallback is system
 # resolver which does IPv6 if IPv4 breaks, even if ECH will break).
 #2a0f:fc80:: dns0.eu
 #2a0f:fc81:: dns0.eu
 ::ffff:193.110.81.0 dns0.eu
 ::ffff:185.253.5.0 dns0.eu
 # DNS0 Zero
 193.110.81.9 zero.dns0.eu
 185.253.5.9 zero.dns0.eu
-# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
+2a0f:fc80::9 zero.dns0.eu
-# other side of the country at best and different country at worst. Thus
+2a0f:fc81::9 zero.dns0.eu
 # attempt to make everything only use it for IPv4 (browser fallback is system
 # resolver which does IPv6 if IPv4 breaks, even if ECH will break).
 #2a0f:fc80::9 zero.dns0.eu
 #2a0f:fc81::9 zero.dns0.eu
 ::ffff:193.110.81.9 zero.dns0.eu
 ::ffff:185.253.5.9 zero.dns0.eu
 # DNS0 Kids
 193.110.81.1 kids.dns0.eu
 185.253.5.1 kids.dns0.eu
-# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
+2a0f:fc80::1 kids.dns0.eu
-# other side of the country at best and different country at worst. Thus
+2a0f:fc81::1 kids.dns0.eu
 # attempt to make everything only use it for IPv4 (browser fallback is system
 # resolver which does IPv6 if IPv4 breaks, even if ECH will break).
 #2a0f:fc80::1 kids.dns0.eu
 #2a0f:fc81::1 kids.dns0.eu
 ::ffff:193.110.81.1 kids.dns0.eu
 ::ffff:185.253.5.1 kids.dns0.eu
 # DNS0 Open
 193.110.81.254 open.dns0.eu
 185.253.5.254 open.dns0.eu
-# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
+2a0f:fc80::ffff open.dns0.eu
-# other side of the country at best and different country at worst. Thus
+2a0f:fc81::ffff open.dns0.eu
 # attempt to make everything only use it for IPv4 (browser fallback is system
 # resolver which does IPv6 if IPv4 breaks, even if ECH will break).
 #2a0f:fc80::ffff open.dns0.eu
 #2a0f:fc81::ffff open.dns0.eu
 ::ffff:193.110.81.254 open.dns0.eu
 ::ffff:185.253.5.254 open.dns0.eu
 # Cloudflare
 1.1.1.1 cloudflare-dns.com one.one.one.one
@ -93,14 +69,8 @@
 # AdGuard Default
 94.140.14.14 dns.adguard-dns.com
 94.140.15.15 dns.adguard-dns.com
-# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
+2a10:50c0::ad1:ff dns.adguard-dns.com
-# other side of the country at best and different country at worst. Thus
+2a10:50c0::ad2:ff dns.adguard-dns.com
 # attempt to make everything only use it for IPv4 (browser fallback is system
 # resolver which does IPv6 if IPv4 breaks, even if ECH will break).
 #2a10:50c0::ad1:ff dns.adguard-dns.com
 #2a10:50c0::ad2:ff dns.adguard-dns.com
 ::ffff:94.140.14.14 dns.adguard-dns.com
 ::ffff:94.140.15.15 dns.adguard-dns.com
 # Google DNS
 8.8.8.8 dns.google dns.google.com
`@ -1 +1,2 @@`
		`dns-none.conf`
	`no-resolvconf.conf`	`no-resolvconf.conf`