update submodule jauderho-nts-servers

etc/opt/chromium/policies/managed/.editorconfig

@@ -0,0 +1,5 @@
+root = false
+
+[*.json.badidea]
+indent_style = space
+indent_size = 2

etc/opt/chromium/policies/managed/.gitattributes

@@ -0,0 +1 @@
+*.json.badidea	linguist-language=json

etc/opt/chromium/policies/managed/README.md

@@ -35,19 +35,19 @@
 - [`disable-brave-tor.json`](#disable-brave-torjson)
 - [`disable-brave-vpn.json`](#disable-brave-vpnjson)
 - [`disable-floc.json`](#disable-flocjson)
-- [`disable-incognito.json`](#disable-incognitojson)
+- [`disable-incognito.json.badidea`](#disable-incognitojsonbadidea)
 - [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
 - [`doh-unlocked-unset.json`](#doh-unlocked-unsetjson)
 - [`doh-dns0.json`](#doh-dns0json)
 - [`doh-mullvad-base.json`](#doh-mullvad-basejson)
 - [`doh-quad9-ecs.json`](#doh-quad9-ecsjson)
-- [`doh-quad9-insecure-ecs.json`](#doh-quad9-insecure-ecsjson)
-- [`doh-quad9-insecure.json`](#doh-quad9-insecurejson)
+- [`doh-quad9-insecure-ecs.json.badidea`](#doh-quad9-insecure-ecsjsonbadidea)
+- [`doh-quad9-insecure.json.badidea`](#doh-quad9-insecurejsonbadidea)
 - [`doh-quad9.json`](#doh-quad9json)
 - [`enable-ech-ocsp.json`](#enable-ech-ocspjson)
 - [`enable-labs.json`](#enable-labsjson)
 - [`fix-edge-search.json`](#fix-edge-searchjson)
-- [`force-incognito.json`](#force-incognitojson)
+- [`force-incognito.json.badidea`](#force-incognitojsonbadidea)
 - [`https-everywhere.json`](#https-everywherejson)
 - [`README.md`](#readmemd)
 
@@ -247,7 +247,7 @@ Disables floc or ad topics that are against privacy.
 
 - https://start.duckduckgo.com/?q=google+floc+privacy+topics
 
-## `disable-incognito.json`
+## `disable-incognito.json.badidea`
 
 Disables incognito mode. I don't recommend this.
 
@@ -259,9 +259,11 @@ Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server.
 
 If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
 
-Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`.
-
-**_This also causes there to not be ECH._**
+My other `doh-*.json` set this as well, because `secure` doesn't allow
+downgrade to system resolver and Chromium seems somewhat unreliable with it often reporting
+`DNS_PROBE_POSSIBLE` and while this occassionally disables ECH, it works and
+my system resolvers are encrypted. I hope they will implement ECH with system
+resolver soon to fix this.
 
 ## `doh-dns0.json`
 
@@ -278,12 +280,12 @@ Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker bl
 Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
 their alternative port.
 
-## `doh-quad9-insecure-ecs.json`
+## `doh-quad9-insecure-ecs.json.badidea`
 
 Forces DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
 their alternative port. **No DNSSEC either.**
 
-## `doh-quad9-insecure.json`
+## `doh-quad9-insecure.json.badidea`
 
 Forces DNS over HTTPS with Quad9 unfiltered server and also contains
 their alternative port. **No DNSSEC either.**
@@ -297,7 +299,10 @@ their alternative port.
 
 Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.
 
-However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver.
+However ECH requires `"DnsOverHttpsMode": "secure"` which will break things
+(and thus my files don't enable it),
+or it will occassionally get disabled (I hope they implement it with system
+resolver soon).
 
 ## `enable-labs.json`
 
@@ -309,7 +314,7 @@ Tells Microsoft Edge to redirect queries from new tab search box to URL bar
 effectively forcing it to respect user configured search engine instead of
 stealthily sending those queries to Bing.
 
-## `force-incognito.json`
+## `force-incognito.json.badidea`
 
 Forces incognito mode. I don't recommend this.
 

etc/opt/chromium/policies/managed/dns-over-https.json.badidea

@@ -0,0 +1,9 @@
+{
+  "comment": "This is a bad idea, because I don't know other DNS servers that
+  perform DNSSEC in addition to DNS-over-HTTPS, I just know these two do and
+  Quad9 doesn't. This would otherwise be the unbound.conf.d/dns-over-tls.conf
+  equivalent.",
+  "DnsOverHttpsMode": "automatic",
+  "DnsOverHttpsTemplates": "https://open.dns0.eu/
+  https://doh.applied-privacy.net/query"
+}

etc/opt/chromium/policies/managed/doh-cloudflare-secure.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://security.cloudflare-dns.com/dns-query"
 }

etc/opt/chromium/policies/managed/doh-dns0-kids.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://kids.dns0.eu/"
 }

etc/opt/chromium/policies/managed/doh-dns0-open.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://open.dns0.eu/"
 }

etc/opt/chromium/policies/managed/doh-dns0-zero.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://zero.dns0.eu/"
 }

etc/opt/chromium/policies/managed/doh-dns0.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns0.eu/"
 }

etc/opt/chromium/policies/managed/doh-mullvad-base.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://base.dns.mullvad.net/dns-query"
 }

etc/opt/chromium/policies/managed/doh-quad9-ecs.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns11.quad9.net/dns-query https://dns11.quad9.net:5053/dns-query"
 }

etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json.badidea

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns12.quad9.net/dns-query https://dns12.quad9.net:5053/dns-query"
 }

etc/opt/chromium/policies/managed/doh-quad9-insecure.json.badidea

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns10.quad9.net/dns-query https://dns10.quad9.net:5053/dns-query"
 }

etc/opt/chromium/policies/managed/doh-quad9.json

@@ -1,4 +1,4 @@
 {
-  "DnsOverHttpsMode": "secure",
+  "DnsOverHttpsMode": "automatic",
   "DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
 }

etc/systemd/resolved.conf.d/00-defaults.conf

@@ -4,6 +4,7 @@
 # BREAKAGE WARNING for everything else than DNSSEC=false !
 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 # PRIVACY WARNING! systemd-networkd/links may override this.
+# NOTE: Empty variables unset whatever is set before! They are not a mistake.
 DNSSEC=true
 # Take the risk of downgrade attacks. Web browser policies enforce
 # DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
@@ -11,10 +12,13 @@ DNSSEC=true
 #DNSOverTLS=opportunistic
 DNSOverTLS=true
 Cache=true
-# Consider local DNS servers if they exist. Empty should erase previous values.
+# Consider local DNS servers if they exist.
 DNS=
-DNS=127.0.0.1
 DNS=::1
+DNS=127.0.0.1
+FallbackDNS=
+FallbackDNS=::1
+FallbackDNS=127.0.0.1
 Domains=~.
 # .local domains
 MulticastDNS=true

etc/systemd/resolved.conf.d/dot-443.conf

@@ -1,5 +1,7 @@
 [Resolve]
 DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
+# OK, this is not 443, but it bothers me to not have both ports used.
+DNS=[2a02:1b8:10:234::2]:853#dot1.applied-privacy.net 146.255.56.98:853#dot1.applied-privacy.net
 #DNSOverTLS=true
 
 # vim: filetype=systemd

etc/systemd/resolved.conf.d/zz-local-resolver.conf

@@ -0,0 +1,14 @@
+# Being at the end of the English alphabet, this file will take priority
+# and override values of others with the unsets.
+[Resolve]
+DNSSEC=false
+DNSOverTLS=false
+Cache=false
+DNS=
+DNS=::1
+DNS=127.0.0.1
+FallbackDNS=
+FallbackDNS=::1
+FallbackDNS=127.0.0.1
+Domains=~.
+# vim: filetype=systemd

etc/systemd/system/service.d/firewalld-icmpv6.conf

@@ -0,0 +1,6 @@
+[Unit]
+Wants=firewalld.service
+After=firewalld.service
+
+[Service]
+ExecStartPost=/usr/bin/firewall-cmd --add-protocol=ipv6-icmp

etc/systemd/system/yggdrasil.service.d/.gitignore

@@ -0,0 +1,3 @@
+firewalld-icmpv6.conf
+never-fail.conf
+restore-ipv6.conf

etc/systemd/system/yggdrasil.service.d/firewalld-icmpv6.conf

@@ -0,0 +1 @@
+../service.d/firewalld-icmpv6.conf

etc/systemd/system/yggdrasil.service.d/restore-ipv6.conf

@@ -0,0 +1 @@
+../service.d/restore-ipv6.conf

etc/unbound/unbound.conf.d/dns-over-tls.conf

@@ -17,9 +17,30 @@ forward-zone:
 	name: "."
 	forward-tls-upstream: yes
 
-	# https://appliedprivacy.net/services/dns/ - Vienna, Austria
+	# https://appliedprivacy.net/services/dns/ - Vienna, Austria, no ECS
 	forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net
 	forward-addr: 146.255.56.98@443#dot1.applied-privacy.net
+	forward-addr: 2a02:1b8:10:234::2@853#dot1.applied-privacy.net
+	forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
+
+	# Quad9 unfiltered, anycast, no ECS, no DNSSEC (Unbound does that)
+	forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
+	forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
+	forward-addr: 149.112.112.10@853#dns10.quad9.net
+	forward-addr: 149.112.112.10@8853#dns10.quad9.net
+	forward-addr: 2620:fe::10@853#dns10.quad9.net
+	forward-addr: 2620:fe::10@8853#dns10.quad9.net
+	forward-addr: 9.9.9.10@853#dns10.quad9.net
+	forward-addr: 9.9.9.10@8853#dns10.quad9.net
+	# Quad9 unfiltered, anycast, ECS, no DNSSEC (Unbound does that)
+	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
+	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
+	#forward-addr: 9.9.9.12@853#dns12.quad9.net
+	#forward-addr: 9.9.9.12@8853#dns12.quad9.net
+	#forward-addr: 2620:fe::12@853#dns12.quad9.net
+	#forward-addr: 2620:fe::12@8853#dns12.quad9.net
+	#forward-addr: 149.112.112.12@853#dns12.quad9.net
+	#forward-addr: 149.112.112.12@8853#dns12.quad9.net
 
 	# https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS
 	forward-addr: 193.110.81.254@853#open.dns0.eu

submodules/jauderho-nts-servers

@@ -1 +1 @@
-Subproject commit ee52e648efc64443185543fef1bc561691524751
+Subproject commit 69d13c9d1a572742ccb7b4e81f83fd8376de4b1c

var/spool/cron/root

@@ -1,6 +1,9 @@
 # Ensure /etc/sysctl.d/ gets read
 @reboot /usr/sbin/sysctl -p --system >/dev/null 2>&1
 
+# Ensure we really allow ICMPv6 on FEDORA
+@reboot /usr/bin/firewall-cmd --add-protocol=ipv6-icmp >/dev/null 2>&1
+
 # 3rd party Xbox controller initialization. See Mikaela/gist/gayming/
 @reboot /root/fixcontroller.py