2025-01-10 12:12:43 +01:00
20 changed files with 103 additions and 62 deletions
--- a/etc/systemd/resolved.conf.d/00-defaults.conf
+++ b/etc/systemd/resolved.conf.d/00-defaults.conf
@ -1,6 +0,0 @@
 [Resolve]
 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 #DNSSEC=allow-downgrade
 DNSSEC=no
 DNSOverTLS=opportunistic
 Cache=yes
--- a/etc/systemd/resolved.conf.d/00-everywhere.conf
+++ b/etc/systemd/resolved.conf.d/00-everywhere.conf
@ -0,0 +1,6 @@
 # Config file to attempt DNSSEC and DoT everywhere, regardless of tech
 # skill
 [Resolve]
 DNSSEC=allow-downgrade
 DNSOverTLS=opportunistic
 Cache=true
--- a/etc/systemd/resolved.conf.d/README.md
+++ b/etc/systemd/resolved.conf.d/README.md
@ -1,24 +1,19 @@
-# systemd-resolved additional config files
+## systemd-resolved additional config files
-## Quickstart
+### Files explained
-```bash
+* 00-everywhere.conf - configuration that doesn't affect DNS servers, attempts
-sudo systemctl enable --now systemd-resolved.service
+  to use DNSSEC and DoT and if it fails, doesn't care and uses insecure
-sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+  configuration.
-# After changing configuration
+* quad9-compat.conf - non-tech person config for Quad9, same as above except
-sudo systemctl restart systemd-resolved
+  specifies the server.
-```
+* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9
 * README.md - you are reading it right now.
-## Files explained
+### General commentary
-* `00-defaults.conf` - configuration not touching resolvers. Disables DNSSEC (as
+I have moved duplicate comments to this file, so it will possibly look weird
-  systemd-resolved doesn't handle it properly), enables opportunistic DoT and
+or miss original context.
  caching.
 * `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
  captive portals are a concern, `DNSOverTLS=no`.
 * `README.md` - you are reading it right now.
 ## General commentary
 * Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
  at the time of writing this README.md, the current version is Ubuntu 20.04.0)
@ -31,12 +26,11 @@ sudo systemctl restart systemd-resolved
 * DNSSEC may not work if the system is down for a long time and not updated.
  Thus `allow-downgrade` may be better for non-tech people, even with the
  potential downgrade attack. There are also captive portals, affecting
-  `DNSOverTLS`. Both take `yes` or `no` or their own special option,
+  `DNSOverTLS`. Both take `true` or `false` or their own special option,
  for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
 Other links I have found important and my files are based on:
 * https://wiki.archlinux.org/index.php/Systemd-resolved
  * Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 * request for strict DOT: https://github.com/systemd/systemd/issues/10755
 * vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
--- a/etc/systemd/resolved.conf.d/adguard-dot.conf
+++ b/etc/systemd/resolved.conf.d/adguard-dot.conf
@ -0,0 +1,14 @@
 # AdGuard / systemd-resolved. For people who don't panic when DoT doesn't
 # work and captive portals attack? See README.md. Also requires not
 # panicking if tbe user needs something AdGuard is blocking.
 [Resolve]
 DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
 Domains=~.
 # non-tech friendliness in case system down for ages. Also DNSSEC ensures
 # the DNS server isn't lying which is a task of adblocking DNS server...
 DNSSEC=false
 # There is no point of disabling this with adblocking DNS
 DNSOverTLS=true
 Cache=true
 # Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html
--- a/etc/systemd/resolved.conf.d/cloudflare-strict.conf
+++ b/etc/systemd/resolved.conf.d/cloudflare-strict.conf
@ -0,0 +1,8 @@
 # Cloudflare / systemd-resolved. For people who don't panic when DNSSEC or
 # DoT doesn't work and captive portals attack? See README.md
 [Resolve]
 DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
 Domains=~.
 DNSSEC=true
 DNSOverTLS=true
 Cache=true
--- a/etc/systemd/resolved.conf.d/dot-adguard.conf
+++ b/etc/systemd/resolved.conf.d/dot-adguard.conf
@ -1,7 +0,0 @@
 [Resolve]
 DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com 94.140.15.15#dns.adguard.com
 Domains=~.
 DNSOverTLS=yes
 Cache=yes
 # Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html
--- a/etc/systemd/resolved.conf.d/dot-cloudflare.conf
+++ b/etc/systemd/resolved.conf.d/dot-cloudflare.conf
@ -1,5 +0,0 @@
 [Resolve]
 DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com
 Domains=~.
 DNSOverTLS=yes
 Cache=yes
--- a/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
+++ b/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
@ -0,0 +1,8 @@
 [Resolve]
 DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
 Domains=~.
 # non-tech friendliness in case system down for ages. Also DNSSEC ensures
 # the DNS server isn't lying which is a task of adblocking DNS server...
 DNSSEC=false
 DNSOverTLS=true
 Cache=true
--- a/etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf
+++ b/etc/systemd/resolved.conf.d/dot-mullvad-adblock.conf
@ -1,5 +0,0 @@
 [Resolve]
 DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
 Domains=~.
 DNSOverTLS=yes
 Cache=yes
--- a/etc/systemd/resolved.conf.d/dot-mullvad-strict.conf
+++ b/etc/systemd/resolved.conf.d/dot-mullvad-strict.conf
@ -1,5 +1,6 @@
 [Resolve]
 DNS=2a07:e340::2#doh.mullvad.net 194.242.2.2#doh.mullvad.net 193.19.108.2#doh.mullvad.net
 Domains=~.
-DNSOverTLS=yes
+DNSSEC=true
-Cache=yes
+DNSOverTLS=true
 Cache=true
--- a/etc/systemd/resolved.conf.d/dot-quad9-ecs.conf
+++ b/etc/systemd/resolved.conf.d/dot-quad9-ecs.conf
@ -1,5 +0,0 @@
 [Resolve]
 DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
 Domains=~.
 DNSOverTLS=yes
 Cache=yes
--- a/etc/systemd/resolved.conf.d/dot-snopyta.conf
+++ b/etc/systemd/resolved.conf.d/dot-snopyta.conf
@ -1,5 +0,0 @@
 [Resolve]
 DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
 Domains=~.
 DNSOverTLS=yes
 Cache=yes
--- a/etc/systemd/resolved.conf.d/nextdns-compat.conf
+++ b/etc/systemd/resolved.conf.d/nextdns-compat.conf
@ -1,5 +1,7 @@
 # NextDNS / systemd-resolved. For non-tech people? See README.md
 [Resolve]
 2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
 Domains=~.
-DNSOverTLS=yes
+DNSSEC=allow-downgrade
-Cache=yes
+DNSOverTLS=opportunistic
 Cache=true
--- a/etc/systemd/resolved.conf.d/nextdns-strict.conf
+++ b/etc/systemd/resolved.conf.d/nextdns-strict.conf
@ -0,0 +1,8 @@
 # NextDNS / systemd-resolved. For people who don't panic when DNSSEC or
 # DoT doesn't work and captive portals attack? See README.md
 [Resolve]
 2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
 Domains=~.
 DNSSEC=true
 DNSOverTLS=true
 Cache=true
--- a/etc/systemd/resolved.conf.d/quad9-compat.conf
+++ b/etc/systemd/resolved.conf.d/quad9-compat.conf
@ -1,5 +1,7 @@
 # Quad9 / systemd-resolved. For non-tech people? See README.md
 [Resolve]
 DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
 Domains=~.
-DNSOverTLS=yes
+DNSSEC=allow-downgrade
-Cache=yes
+DNSOverTLS=opportunistic
 Cache=true
--- a/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf
+++ b/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf
@ -0,0 +1,7 @@
 # Quad9 with client subnet / systemd-resolved. For non-tech people? See README.md
 [Resolve]
 DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
 Domains=~.
 DNSSEC=allow-downgrade
 DNSOverTLS=opportunistic
 Cache=true
--- a/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf
+++ b/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf
@ -0,0 +1,8 @@
 # Quad9 with client subnet / systemd-resolved. For people who don't panic when DNSSEC or
 # DoT doesn't work and captive portals attack? See README.md
 [Resolve]
 DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
 Domains=~.
 DNSSEC=true
 DNSOverTLS=true
 Cache=true
--- a/etc/systemd/resolved.conf.d/quad9-strict.conf
+++ b/etc/systemd/resolved.conf.d/quad9-strict.conf
@ -0,0 +1,8 @@
 # Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
 # DoT doesn't work and captive portals attack? See README.md
 [Resolve]
 DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
 Domains=~.
 DNSSEC=true
 DNSOverTLS=true
 Cache=true
--- a/etc/systemd/resolved.conf.d/snopyta-strict.conf
+++ b/etc/systemd/resolved.conf.d/snopyta-strict.conf
@ -0,0 +1,8 @@
 # Snopyta / systemd-resolved. For people who don't panic when DNSSEC or
 # DoT doesn't work and captive portals attack? See README.md
 [Resolve]
 DNS=2a01:4f9:2a:1919::9301#fi.dot.dns.snopyta.org 95.216.24.230#fi.dot.dns.snopyta.org
 Domains=~.
 DNSSEC=true
 DNSOverTLS=true
 Cache=true
--- a/etc/systemd/resolved.conf.d/unbound.conf
+++ b/etc/systemd/resolved.conf.d/unbound.conf
@ -3,9 +3,9 @@
 DNS=127.0.0.1
 DNS=::1
 Domains=~.
-# Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867)
+# Done better by Unbound, no failed-auxillary
-DNSSEC=no
+DNSSEC=false
 # Not needed on localhost
-DNSOverTLS=no
+DNSOverTLS=false
 # Done by Unbound
-Cache=no
+Cache=false