unbound: mark dot-flushable-cache.conf as .badidea

This reverts commit afe50117fe.

conf/librewolf.overrides.cfg

@@ -8,6 +8,8 @@
 // and finally becoming Firefox autoconfig file copied from
 // https://codeberg.org/librewolf/settings/src/branch/master/librewolf.cfg
 
+// NOTE! A lot is commented either for being a note, wrong, TODO, whatever, or most likely in my /etc/firefox/policies/policies.json
+
 // Firefox autoconfig
 pref("autoadmin.global_config_url", "https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg");
 pref("general.config.obscure_value", 0);
@@ -20,7 +22,7 @@ pref("autoadmin.failover_to_cached", true);
 //pref("intl.regional_prefs.use_os_locales", false);
 
 // via https://www.ghacks.net/2017/10/27/how-to-enable-firefox-webextensions-on-mozilla-websites/
-pref("extensions.webextensions.restrictedDomains", "");
+//pref("extensions.webextensions.restrictedDomains", "");
 //pref("privacy.resistFingerprinting.block_mozAddonManage", true);
 // Block cookie banners. Warning: may result to auto-accepting cookies.
 // https://www.ghacks.net/2022/12/24/configure-firefox-to-reject-cookie-banners-automatically/
@@ -69,12 +71,12 @@ defaultPref("intl.accept_languages", "fi, en");
 //pref("intl.accept_languages", "eo, fi");
 
 // No JavaScript allowed in internal pdf viewer
-pref("pdfjs.enableScripting", false);
+//pref("pdfjs.enableScripting", false);
 
 // Dark mode
-pref("ui.systemUsesDarkTheme", 1);
+//pref("ui.systemUsesDarkTheme", 1);
 pref("prefers-color-scheme", "dark");
-pref("pdfjs.viewerCssTheme", 2);
+//pref("pdfjs.viewerCssTheme", 2);
 
 // Enable Firefox accounts
 pref("identity.fxaccounts.enabled", true);
@@ -93,36 +95,34 @@ pref("privacy.clearOnShutdown.siteSettings", false);
 defaultPref("browser.sessionstore.resume_from_crash", false);
 
 // Click to play. https://wiki.mozilla.org/Media/block-autoplay
-pref("media.autoplay.blocking_policy", 2);
+//pref("media.autoplay.blocking_policy", 2);
 
 // No corporate CA MITM
-defaultPref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
+//defaultPref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
 
 // Decrease animations
 pref("image.animation_mode", "once");
 
 // Punycode
-pref("network.IDN_show_punycode", true);
+//pref("network.IDN_show_punycode", true);
 
 // Enforce reader mode enabling?
 pref("reader.parse-on-load.force-enabled", true);
 
 // TRR & ECH
-// WARNING: policies.json lock enforces mode 2. However it won't matter
-// since the system resolver is encrypted, right?
 // Mode 2 allows fallback to system resolver, 3 is TTR-only.
 //pref("network.trr.mode", 2);
-defaultPref("network.trr.mode", 3);
-pref("network.trr.early-AAAA", true);
+//defaultPref("network.trr.mode", 3);
+//pref("network.trr.early-AAAA", true);
 //defaultPref("network.trr.uri", "https://dns0.eu/");
-defaultPref("network.trr.uri", "https://dns11.quad9.net/dns-query");
+//defaultPref("network.trr.uri", "https://dns11.quad9.net/dns-query");
 //defaultPref("network.trr.uri", "https://dns.adguard-dns.com/dns-query");
 // NOTE: ECH requires TRR, so mode 2 may not use it.
-defaultPref("network.trr.disable-ECS", false);
-pref("network.dns.echconfig.enabled", true);
-pref("network.dns.use_https_rr_as_altsvc", true);
-pref("network.trr.exclude-etc-hosts", false);
-pref("network.trr.excluded-domains", "http.badssl.com,norwegianwifi.com,mywifiext.net,tplinkrepeater.net,router.asus.com");
+//defaultPref("network.trr.disable-ECS", false);
+//pref("network.dns.echconfig.enabled", true);
+//pref("network.dns.use_https_rr_as_altsvc", true);
+//pref("network.trr.exclude-etc-hosts", false);
+//pref("network.trr.excluded-domains", "http.badssl.com,norwegianwifi.com,mywifiext.net,tplinkrepeater.net,router.asus.com");
 
 // Default UI scale
 defaultPref("layout.css.devPixelsPerPx", "1.5");
@@ -136,7 +136,7 @@ pref("browser.cache.memory.enable", true);
 //pref("browser.startup.page", 1);
 // Simplified DDG experience without prompts for extension and all
 //pref("browser.startup.homepage", "https://start.duckduckgo.com");
-defaultPref("browser.startup.homepage", "about:mozilla");
+//defaultPref("browser.startup.homepage", "about:mozilla");
 
 // https://codeberg.org/librewolf/settings/src/branch/master/librewolf.cfg begins
 
@@ -146,7 +146,7 @@ defaultPref("browser.startup.homepage", "about:mozilla");
 pref("privacy.userContext.enabled", true);
 pref("privacy.userContext.ui.enabled", true);
 
-pref("browser.contentblocking.category", "strict");
+//pref("browser.contentblocking.category", "strict");
 pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
 pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
 
@@ -173,7 +173,7 @@ pref("network.auth.subresource-http-auth-allow", 1); // block HTTP authenticatio
  * as a general rule, the behavior of referes which are not cross-origin should not
  * be changed.
  */
-pref("network.http.referer.XOriginTrimmingPolicy", 2);
+//pref("network.http.referer.XOriginTrimmingPolicy", 2);
 
 /** [SECTION] WEBRTC
  * there is no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
@@ -188,16 +188,16 @@ pref("network.proxy.socks_remote_dns", true); // forces dns query through the pr
 pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy when one is used
 
 /** [SECTION] DNS */
-pref("network.dns.disablePrefetch", true); // disable dns prefetching
+//pref("network.dns.disablePrefetch", true); // disable dns prefetching
 pref("network.dns.skipTRR-when-parental-control-enabled", false);  // Arkenfox user.js v117
 
 /** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
  * disable prefecthing for different things such as links, bookmarks and predictions.
  */
-pref("network.predictor.enabled", false);
-pref("network.prefetch-next", false);
-pref("network.http.speculative-parallel-limit", 0);
-pref("browser.places.speculativeConnect.enabled", false);
+//pref("network.predictor.enabled", false);
+//pref("network.prefetch-next", false);
+//pref("network.http.speculative-parallel-limit", 0);
+//pref("browser.places.speculativeConnect.enabled", false);
 // disable speculative connections and domain guessing from the urlbar
 pref("browser.urlbar.speculativeConnect.enabled", false);
 
@@ -226,7 +226,7 @@ pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
  * in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check.
  */
 pref("security.remote_settings.crlite_filters.enabled", true);
-pref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
+//pref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
 
 /** [SECTION] TLS/SSL */
 pref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
@@ -294,7 +294,7 @@ pref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu f
  * or media opened while other media is played will not start automatically.
  * thumbnails will not autoplay unless hovered. exceptions can be set from the UI.
  */
-pref("media.autoplay.default", 5);
+//pref("media.autoplay.default", 5);
 
 /** [SECTION] POP-UPS AND WINDOWS
  * prevent scripts from resizing existing windows and opening new ones, by forcing them into
@@ -386,11 +386,11 @@ pref("browser.newtabpage.activity-stream.default.sites", "");
 /** [SECTION] ABOUT
  * remove annoying ui elements from the about pages, including about:protections
  */
-pref("browser.contentblocking.report.lockwise.enabled", false);
-pref("browser.contentblocking.report.hide_vpn_banner", true);
-pref("browser.contentblocking.report.vpn.enabled", false);
-pref("browser.contentblocking.report.show_mobile_app", false);
-pref("browser.vpn_promo.enabled", false);
+//pref("browser.contentblocking.report.lockwise.enabled", false);
+//pref("browser.contentblocking.report.hide_vpn_banner", true);
+//pref("browser.contentblocking.report.vpn.enabled", false);
+//pref("browser.contentblocking.report.show_mobile_app", false);
+//pref("browser.vpn_promo.enabled", false);
 pref("browser.promo.focus.enabled", false);
 // ...about:addons recommendations sections and more
 pref("extensions.htmlaboutaddons.recommendations.enabled", false);
@@ -399,7 +399,7 @@ pref("lightweightThemes.getMoreURL", ""); // disable button to get more themes
 // ...about:preferences#home
 pref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button
 // ...and about:config
-pref("browser.aboutConfig.showWarning", false);
+//pref("browser.aboutConfig.showWarning", false);
 // hide about:preferences#moreFromMozilla
 pref("browser.preferences.moreFromMozilla", false);
 

etc/firefox/policies/README.md

@@ -13,12 +13,14 @@ per whatever I am doing.
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
 - [WARNING TO LIBREWOLF USERS](#warning-to-librewolf-users)
-- [WARNING TO TRR/ENCRYPTED DNS USERS!](#warning-to-trrencrypted-dns-users)
 - [Extensions](#extensions)
   - [Privacy Badger](#privacy-badger)
+    - [Duplicate](#duplicate)
 - [Search engines](#search-engines)
 - [Useful looking things for the future](#useful-looking-things-for-the-future)
   - [Certificate installations](#certificate-installations)
+- [Things that look useful, but aren't](#things-that-look-useful-but-arent)
+  - [WebSiteFilter](#websitefilter)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -31,11 +33,6 @@ This file takes priority over
 `/usr/share/librewolf/distribution/policies.json` so don't apply this or
 a lot of LibreWolf specific customizations stops being in force.
 
-## WARNING TO TRR/ENCRYPTED DNS USERS!
-
-If `policies.json` locks DNS over HTTPS, `trr.mode` gets locked into `2` which
-means fallback to system resolver.
-
 ## Extensions
 
 They are mostly self-explanatory.
@@ -52,6 +49,18 @@ See also:
 - https://github.com/EFForg/privacybadger/blob/master/doc/admin-deployment.md
 - https://github.com/EFForg/privacybadger/blob/master/src/data/schema.json
 
+#### Duplicate
+
+```diff
+-      "jid1-MnnxcxisBPnSXQ-eff@jetpack": {
+-        "install_url": "https://www.eff.org/files/privacy-badger-latest.xpi",
++      "jid1-MnnxcxisBPnSXQ@jetpack": {
++        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi",
+```
+
+The EFF.org version won't sync and if you sync with unmanaged computer, you
+will have two PrivacyBadgers. Congratulations?
+
 ## Search engines
 
 > Policy SearchEngines is only allowed on ESR.
@@ -73,3 +82,24 @@ In the `certificates` section
   "Install": ["my_certificate_here.pem"]
 }
 ```
+
+## Things that look useful, but aren't
+
+### WebSiteFilter
+
+```json
+{
+  "policies": {
+    "WebsiteFilter": {
+      "Block": ["<all_urls>"],
+      "Exceptions": ["http://example.org/*"]
+    }
+  }
+}
+```
+
+Ok, nice, but my policy is already forcing AdNauseam which enforces my
+blocklist which is more practical.
+
+Granted users can use private browsing mode to get past it, but I am not
+blocking actively malicious domains.

etc/firefox/policies/policies.json

@@ -41,7 +41,7 @@
             ]
           }
         },
-        "jid1-MnnxcxisBPnSXQ-eff@jetpack": {
+        "jid1-MnnxcxisBPnSXQ@jetpack": {
           "checkForDNTPolicy": true,
           "disabledSites": [
             "app.element.io",
@@ -67,6 +67,10 @@
         }
       }
     },
+    "BlockAboutAddons": false,
+    "BlockAboutConfig": false,
+    "BlockAboutProfiles": false,
+    "BlockAboutSupport": false,
     "Certificates": {
       "ImportEnterpriseRoots": false
     },
@@ -81,8 +85,13 @@
     },
     "DNSOverHTTPS": {
       "Enabled": true,
-      "Locked": true,
-      "ProviderURL": "https://dns11.quad9.net/dns-query"
+      "ExcludedDomains": [
+        "http.badssl.com",
+        "norwegianwifi.com"
+      ],
+      "Fallback": false,
+      "Locked": false,
+      "ProviderURL": "https://dns.quad9.net/dns-query"
     },
     "DisableEncryptedClientHello": false,
     "DisablePocket": true,
@@ -130,7 +139,11 @@
         "installation_mode": "normal_installed"
       },
       "jid1-MnnxcxisBPnSXQ-eff@jetpack": {
-        "install_url": "https://www.eff.org/files/privacy-badger-latest.xpi",
+        "blocked_install_message": "Kaksoiskappale samasta lisäosasta.",
+        "installation_mode": "blocked"
+      },
+      "jid1-MnnxcxisBPnSXQ@jetpack": {
+        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi",
         "installation_mode": "force_installed"
       },
       "peertube-companion@booteille": {
@@ -200,15 +213,178 @@
       "StartPage": "previous-session",
       "URL": "about:mozilla"
     },
+    "NetworkPrediction": false,
+    "NewTabPage": false,
     "OverrideFirstRunPage": "about:mozilla",
     "PDFjs": {
       "EnablePermissions": false,
       "Enabled": true
     },
     "Preferences": {
+      "browser.aboutConfig.showWarning": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": false
+      },
+      "browser.contentblocking.category": {
+        "Status": "locked",
+        "Type": "string",
+        "Value": "strict"
+      },
+      "browser.contentblocking.report.hide_vpn_banner": {
+        "Status": "default",
+        "Type": "boolean",
+        "Value": true
+      },
+      "browser.contentblocking.report.lockwise.enabled": {
+        "Status": "default",
+        "Type": "boolean",
+        "Value": false
+      },
+      "browser.contentblocking.report.show_mobile_app": {
+        "Status": "default",
+        "Type": "boolean",
+        "Value": false
+      },
+      "browser.contentblocking.report.vpn.enabled": {
+        "Status": "default",
+        "Type": "boolean",
+        "Value": false
+      },
+      "extensions.webextensions.restrictedDomains": {
+        "Status": "locked",
+        "Type": "string",
+        "Value": ""
+      },
+      "intl.accept_languages": {
+        "Status": "default",
+        "Type": "string",
+        "Value": "fi, en"
+      },
+      "layout.css.devPixelsPerPx": {
+        "Status": "default",
+        "Type": "string",
+        "Value": "1.5"
+      },
+      "media.autoplay.default": {
+        "Status": "default",
+        "Type": "number",
+        "Value": 5
+      },
+      "network.IDN_show_punycode": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "network.dns.echconfig.enabled": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "network.dns.use_https_rr_as_altsvc": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "network.http.referer.XOriginTrimmingPolicy": {
+        "Status": "default",
+        "Type": "number",
+        "Value": 2
+      },
+      "network.http.referer.defaultPolicy": {
+        "Status": "default",
+        "Type": "number",
+        "Value": 1
+      },
+      "network.http.speculative-parallel-limit": {
+        "Status": "locked",
+        "Type": "number",
+        "Value": 0
+      },
+      "network.predictor.enabled": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": false
+      },
+      "network.prefetch-next": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": false
+      },
+      "network.trr.disable-ECS": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "network.trr.display_fallback_warning": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "network.trr.early-AAAA": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "network.trr.exclude-etc-hosts": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": false
+      },
       "pdfjs.enableScripting": {
         "Status": "locked",
+        "Type": "boolean",
         "Value": false
+      },
+      "pdfjs.forcePageColors": {
+        "Status": "default",
+        "Type": "boolean",
+        "Value": true
+      },
+      "pdfjs.pageColorsBackground": {
+        "Status": "default",
+        "Type": "string",
+        "Value": "#000000"
+      },
+      "pdfjs.pageColorsForeground": {
+        "Status": "default",
+        "Type": "string",
+        "Value": "#ffb700"
+      },
+      "privacy.userContext.enabled": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "privacy.userContext.ui.enabled": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "security.OCSP.require": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "security.insecure_connection_text.enabled": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "security.insecure_connection_text.pbmode.enabled": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "security.ssl.enable_ocsp_stapling": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "ui.systemUsesDarkTheme": {
+        "Status": "default",
+        "Type": "number",
+        "Value": 1
       }
     },
     "SearchEngines": {

etc/init-browser-policies.bash

@@ -3,6 +3,12 @@
 # their policies. The user is trusted to setup those manually.
 set -x
 
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root for managing /etc/" 1>&2
+	exit 1
+fi
+
 # Firefox and LibreWolf (caution! https://codeberg.org/librewolf/issues/issues/1767)
 mkdir -vp /etc/firefox/policies
 chmod -v a+rx /etc/firefox/
@@ -13,6 +19,7 @@ printf "WARNING! LibreWolf default profile may be masked!\nhttps://codeberg.org/
 
 # Firefox ESR
 ln -sfv /etc/firefox /etc/firefox-esr
+rm -fv /etc/firefox-esr/firefox-esr
 
 # Chromium
 mkdir -vp /etc/opt/chromium/policies/managed
@@ -22,12 +29,15 @@ chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/
 
 # Brave
 ln -sfv /etc/opt/chromium /etc/brave
+rm -fv /etc/brave/brave
 
 # Vivaldi
 ln -sfv /etc/opt/chromium /etc/chromium
+rm -fv /etc/chromium/chromium
 
 # Google Chrome
 ln -sfv /etc/opt/chromium /etc/opt/chrome
+rm -fv /etc/etc/opt/chrome/chrome
 
 # Microsoft Edge
 # NOTE! It breaks chrome:// URLs so the recommended policy apps as new tab page
@@ -36,6 +46,7 @@ ln -sfv /etc/opt/chromium /etc/opt/chrome
 #ln -sfv /etc/opt/chromium /etc/opt/edge
 mkdir -vp /etc/opt/edge/policies/recommended
 ln -sfv /etc/opt/chromium/policies/managed /etc/opt/edge/policies/managed
+rm -fv /etc/opt/edge/policies/managed/managed
 printf "WARNING! Edge recommended profiles are managed separately.\n"
 
 set +x

etc/samba/playstation2.conf

@@ -27,8 +27,10 @@ deadtime = 0
 keepalive = 60
 
 # All guides seem to use the name PS2SMB, and it may require manual typing
-# on the console
-[PS2SMB]
+# on the console.
+# REMEMBER! Like with Windows, the trailing $ makes the share unlisted, you
+# will need to enter it on the PS2 and other devices though!
+[PS2SMB$]
 Comment = PlayStation2 images
 # PS2 IP
 #hosts allow = 192.168.88.5

etc/unbound/unbound.conf.d/dns-over-tls.conf

@@ -12,8 +12,6 @@ server:
 # This list is for my travel laptop to have at least one DoT443 server
 # which seems to be applied-privacy.net. They advice having multiple DoT servers
 # for redundancy and as they don't filter, it's best I use other non-filtering ones.
-# Since then this expanded to include <https://www.privacyguides.org/en/dns/>.
-# just look at git blame...
 
 forward-zone:
 	name: "."
@@ -50,26 +48,5 @@ forward-zone:
 	forward-addr: 2620:fe::10@8853#dns10.quad9.net
 	forward-addr: 9.9.9.10@853#dns10.quad9.net
 	forward-addr: 9.9.9.10@8853#dns10.quad9.net
-	# Quad9 unfiltered, anycast, ECS, no DNSSEC (Unbound does that)
-	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
-	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
-	#forward-addr: 9.9.9.12@853#dns12.quad9.net
-	#forward-addr: 9.9.9.12@8853#dns12.quad9.net
-	#forward-addr: 2620:fe::12@853#dns12.quad9.net
-	#forward-addr: 2620:fe::12@8853#dns12.quad9.net
-	#forward-addr: 149.112.112.12@853#dns12.quad9.net
-	#forward-addr: 149.112.112.12@8853#dns12.quad9.net
-
-	# https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS
-	forward-addr: 193.110.81.254@853#open.dns0.eu
-	forward-addr: 185.253.5.254@853#open.dns0.eu
-	forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
-	forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
-
-	# Adguard DNS Unfiltered Anycast. Malta based. Private ECS.
-	forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
-	forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
-	forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
-	forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dns64-over-tls.conf

@@ -4,7 +4,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# ctrl.blog says this is the Fedora location
+	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-adguard.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# ctrl.blog says this is the Fedora location
+	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-cloudflare.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# ctrl.blog says this is the Fedora location
+	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-dns0-quad9.conf

@@ -28,7 +28,9 @@ forward-zone:
 	forward-addr: 193.110.81.0@853#dns0.eu
 	forward-addr: 185.253.5.0@853#dns0.eu
 ## Quad9 IPv6 Secure + ECS
+	forward-addr: 2620:fe::11@8853#dns11.quad9.net
 	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
 	forward-addr: 2620:fe::11@853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-dns0.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# ctrl.blog says this is the Fedora location
+	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-mullvad.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# ctrl.blog says this is the Fedora location
+	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-quad9.conf

@@ -5,7 +5,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# ctrl.blog says this is the Fedora location
+	# Fedora
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes