Compare commits
11 Commits
7c80e2c329
...
82214710c1
Author | SHA1 | Date |
---|---|---|
Aminda Suomalainen | 82214710c1 | |
Aminda Suomalainen | 1ea9fff29a | |
Aminda Suomalainen | f87c4899b6 | |
Aminda Suomalainen | 861b35c25f | |
Aminda Suomalainen | 342e3116a6 | |
Aminda Suomalainen | d17ad34650 | |
Aminda Suomalainen | 52b0807fcb | |
Aminda Suomalainen | 520470e3dd | |
Aminda Suomalainen | 5869247cc3 | |
Aminda Suomalainen | 45cf5ecf61 | |
Aminda Suomalainen | 32883d5c73 |
|
@ -0,0 +1,5 @@
|
|||
root = false
|
||||
|
||||
[*.json.badidea]
|
||||
indent_style = space
|
||||
indent_size = 2
|
|
@ -0,0 +1 @@
|
|||
*.json.badidea linguist-language=json
|
|
@ -35,19 +35,19 @@
|
|||
- [`disable-brave-tor.json`](#disable-brave-torjson)
|
||||
- [`disable-brave-vpn.json`](#disable-brave-vpnjson)
|
||||
- [`disable-floc.json`](#disable-flocjson)
|
||||
- [`disable-incognito.json`](#disable-incognitojson)
|
||||
- [`disable-incognito.json.badidea`](#disable-incognitojsonbadidea)
|
||||
- [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
|
||||
- [`doh-unlocked-unset.json`](#doh-unlocked-unsetjson)
|
||||
- [`doh-dns0.json`](#doh-dns0json)
|
||||
- [`doh-mullvad-base.json`](#doh-mullvad-basejson)
|
||||
- [`doh-quad9-ecs.json`](#doh-quad9-ecsjson)
|
||||
- [`doh-quad9-insecure-ecs.json`](#doh-quad9-insecure-ecsjson)
|
||||
- [`doh-quad9-insecure.json`](#doh-quad9-insecurejson)
|
||||
- [`doh-quad9-insecure-ecs.json.badidea`](#doh-quad9-insecure-ecsjsonbadidea)
|
||||
- [`doh-quad9-insecure.json.badidea`](#doh-quad9-insecurejsonbadidea)
|
||||
- [`doh-quad9.json`](#doh-quad9json)
|
||||
- [`enable-ech-ocsp.json`](#enable-ech-ocspjson)
|
||||
- [`enable-labs.json`](#enable-labsjson)
|
||||
- [`fix-edge-search.json`](#fix-edge-searchjson)
|
||||
- [`force-incognito.json`](#force-incognitojson)
|
||||
- [`force-incognito.json.badidea`](#force-incognitojsonbadidea)
|
||||
- [`https-everywhere.json`](#https-everywherejson)
|
||||
- [`README.md`](#readmemd)
|
||||
|
||||
|
@ -247,7 +247,7 @@ Disables floc or ad topics that are against privacy.
|
|||
|
||||
- https://start.duckduckgo.com/?q=google+floc+privacy+topics
|
||||
|
||||
## `disable-incognito.json`
|
||||
## `disable-incognito.json.badidea`
|
||||
|
||||
Disables incognito mode. I don't recommend this.
|
||||
|
||||
|
@ -259,9 +259,11 @@ Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server.
|
|||
|
||||
If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
|
||||
|
||||
Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`.
|
||||
|
||||
**_This also causes there to not be ECH._**
|
||||
My other `doh-*.json` set this as well, because `secure` doesn't allow
|
||||
downgrade to system resolver and Chromium seems somewhat unreliable with it often reporting
|
||||
`DNS_PROBE_POSSIBLE` and while this occassionally disables ECH, it works and
|
||||
my system resolvers are encrypted. I hope they will implement ECH with system
|
||||
resolver soon to fix this.
|
||||
|
||||
## `doh-dns0.json`
|
||||
|
||||
|
@ -278,12 +280,12 @@ Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker bl
|
|||
Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
|
||||
their alternative port.
|
||||
|
||||
## `doh-quad9-insecure-ecs.json`
|
||||
## `doh-quad9-insecure-ecs.json.badidea`
|
||||
|
||||
Forces DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
|
||||
their alternative port. **No DNSSEC either.**
|
||||
|
||||
## `doh-quad9-insecure.json`
|
||||
## `doh-quad9-insecure.json.badidea`
|
||||
|
||||
Forces DNS over HTTPS with Quad9 unfiltered server and also contains
|
||||
their alternative port. **No DNSSEC either.**
|
||||
|
@ -297,7 +299,10 @@ their alternative port.
|
|||
|
||||
Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.
|
||||
|
||||
However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver.
|
||||
However ECH requires `"DnsOverHttpsMode": "secure"` which will break things
|
||||
(and thus my files don't enable it),
|
||||
or it will occassionally get disabled (I hope they implement it with system
|
||||
resolver soon).
|
||||
|
||||
## `enable-labs.json`
|
||||
|
||||
|
@ -309,7 +314,7 @@ Tells Microsoft Edge to redirect queries from new tab search box to URL bar
|
|||
effectively forcing it to respect user configured search engine instead of
|
||||
stealthily sending those queries to Bing.
|
||||
|
||||
## `force-incognito.json`
|
||||
## `force-incognito.json.badidea`
|
||||
|
||||
Forces incognito mode. I don't recommend this.
|
||||
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"comment": "This is a bad idea, because I don't know other DNS servers that
|
||||
perform DNSSEC in addition to DNS-over-HTTPS, I just know these two do and
|
||||
Quad9 doesn't. This would otherwise be the unbound.conf.d/dns-over-tls.conf
|
||||
equivalent.",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://open.dns0.eu/
|
||||
https://doh.applied-privacy.net/query"
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://security.cloudflare-dns.com/dns-query"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://kids.dns0.eu/"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://open.dns0.eu/"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://zero.dns0.eu/"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://dns0.eu/"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://base.dns.mullvad.net/dns-query"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://dns11.quad9.net/dns-query https://dns11.quad9.net:5053/dns-query"
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://dns12.quad9.net/dns-query https://dns12.quad9.net:5053/dns-query"
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://dns10.quad9.net/dns-query https://dns10.quad9.net:5053/dns-query"
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
"DnsOverHttpsMode": "secure",
|
||||
"DnsOverHttpsMode": "automatic",
|
||||
"DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
# BREAKAGE WARNING for everything else than DNSSEC=false !
|
||||
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
# PRIVACY WARNING! systemd-networkd/links may override this.
|
||||
# NOTE: Empty variables unset whatever is set before! They are not a mistake.
|
||||
DNSSEC=true
|
||||
# Take the risk of downgrade attacks. Web browser policies enforce
|
||||
# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
|
||||
|
@ -11,10 +12,13 @@ DNSSEC=true
|
|||
#DNSOverTLS=opportunistic
|
||||
DNSOverTLS=true
|
||||
Cache=true
|
||||
# Consider local DNS servers if they exist. Empty should erase previous values.
|
||||
# Consider local DNS servers if they exist.
|
||||
DNS=
|
||||
DNS=127.0.0.1
|
||||
DNS=::1
|
||||
DNS=127.0.0.1
|
||||
FallbackDNS=
|
||||
FallbackDNS=::1
|
||||
FallbackDNS=127.0.0.1
|
||||
Domains=~.
|
||||
# .local domains
|
||||
MulticastDNS=true
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
[Resolve]
|
||||
DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
|
||||
# OK, this is not 443, but it bothers me to not have both ports used.
|
||||
DNS=[2a02:1b8:10:234::2]:853#dot1.applied-privacy.net 146.255.56.98:853#dot1.applied-privacy.net
|
||||
#DNSOverTLS=true
|
||||
|
||||
# vim: filetype=systemd
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
# Being at the end of the English alphabet, this file will take priority
|
||||
# and override values of others with the unsets.
|
||||
[Resolve]
|
||||
DNSSEC=false
|
||||
DNSOverTLS=false
|
||||
Cache=false
|
||||
DNS=
|
||||
DNS=::1
|
||||
DNS=127.0.0.1
|
||||
FallbackDNS=
|
||||
FallbackDNS=::1
|
||||
FallbackDNS=127.0.0.1
|
||||
Domains=~.
|
||||
# vim: filetype=systemd
|
|
@ -0,0 +1,6 @@
|
|||
[Unit]
|
||||
Wants=firewalld.service
|
||||
After=firewalld.service
|
||||
|
||||
[Service]
|
||||
ExecStartPost=/usr/bin/firewall-cmd --add-protocol=ipv6-icmp
|
|
@ -0,0 +1,3 @@
|
|||
firewalld-icmpv6.conf
|
||||
never-fail.conf
|
||||
restore-ipv6.conf
|
|
@ -0,0 +1 @@
|
|||
../service.d/firewalld-icmpv6.conf
|
|
@ -0,0 +1 @@
|
|||
../service.d/restore-ipv6.conf
|
|
@ -17,9 +17,30 @@ forward-zone:
|
|||
name: "."
|
||||
forward-tls-upstream: yes
|
||||
|
||||
# https://appliedprivacy.net/services/dns/ - Vienna, Austria
|
||||
# https://appliedprivacy.net/services/dns/ - Vienna, Austria, no ECS
|
||||
forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net
|
||||
forward-addr: 146.255.56.98@443#dot1.applied-privacy.net
|
||||
forward-addr: 2a02:1b8:10:234::2@853#dot1.applied-privacy.net
|
||||
forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
|
||||
|
||||
# Quad9 unfiltered, anycast, no ECS, no DNSSEC (Unbound does that)
|
||||
forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
|
||||
forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
|
||||
forward-addr: 149.112.112.10@853#dns10.quad9.net
|
||||
forward-addr: 149.112.112.10@8853#dns10.quad9.net
|
||||
forward-addr: 2620:fe::10@853#dns10.quad9.net
|
||||
forward-addr: 2620:fe::10@8853#dns10.quad9.net
|
||||
forward-addr: 9.9.9.10@853#dns10.quad9.net
|
||||
forward-addr: 9.9.9.10@8853#dns10.quad9.net
|
||||
# Quad9 unfiltered, anycast, ECS, no DNSSEC (Unbound does that)
|
||||
#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
|
||||
#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
|
||||
#forward-addr: 9.9.9.12@853#dns12.quad9.net
|
||||
#forward-addr: 9.9.9.12@8853#dns12.quad9.net
|
||||
#forward-addr: 2620:fe::12@853#dns12.quad9.net
|
||||
#forward-addr: 2620:fe::12@8853#dns12.quad9.net
|
||||
#forward-addr: 149.112.112.12@853#dns12.quad9.net
|
||||
#forward-addr: 149.112.112.12@8853#dns12.quad9.net
|
||||
|
||||
# https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS
|
||||
forward-addr: 193.110.81.254@853#open.dns0.eu
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit ee52e648efc64443185543fef1bc561691524751
|
||||
Subproject commit 69d13c9d1a572742ccb7b4e81f83fd8376de4b1c
|
|
@ -1,6 +1,9 @@
|
|||
# Ensure /etc/sysctl.d/ gets read
|
||||
@reboot /usr/sbin/sysctl -p --system >/dev/null 2>&1
|
||||
|
||||
# Ensure we really allow ICMPv6 on FEDORA
|
||||
@reboot /usr/bin/firewall-cmd --add-protocol=ipv6-icmp >/dev/null 2>&1
|
||||
|
||||
# 3rd party Xbox controller initialization. See Mikaela/gist/gayming/
|
||||
@reboot /root/fixcontroller.py
|
||||
|
||||
|
|
Loading…
Reference in New Issue