conf/librewolf.overrides.cfg

@@ -8,8 +8,6 @@
 // and finally becoming Firefox autoconfig file copied from
 // https://codeberg.org/librewolf/settings/src/branch/master/librewolf.cfg
 
-// NOTE! A lot is commented either for being a note, wrong, TODO, whatever, or most likely in my /etc/firefox/policies/policies.json
-
 // Firefox autoconfig
 pref("autoadmin.global_config_url", "https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg");
 pref("general.config.obscure_value", 0);
@@ -22,7 +20,7 @@ pref("autoadmin.failover_to_cached", true);
 //pref("intl.regional_prefs.use_os_locales", false);
 
 // via https://www.ghacks.net/2017/10/27/how-to-enable-firefox-webextensions-on-mozilla-websites/
-//pref("extensions.webextensions.restrictedDomains", "");
+pref("extensions.webextensions.restrictedDomains", "");
 //pref("privacy.resistFingerprinting.block_mozAddonManage", true);
 // Block cookie banners. Warning: may result to auto-accepting cookies.
 // https://www.ghacks.net/2022/12/24/configure-firefox-to-reject-cookie-banners-automatically/
@@ -71,12 +69,12 @@ defaultPref("intl.accept_languages", "fi, en");
 //pref("intl.accept_languages", "eo, fi");
 
 // No JavaScript allowed in internal pdf viewer
-//pref("pdfjs.enableScripting", false);
+pref("pdfjs.enableScripting", false);
 
 // Dark mode
-//pref("ui.systemUsesDarkTheme", 1);
+pref("ui.systemUsesDarkTheme", 1);
 pref("prefers-color-scheme", "dark");
-//pref("pdfjs.viewerCssTheme", 2);
+pref("pdfjs.viewerCssTheme", 2);
 
 // Enable Firefox accounts
 pref("identity.fxaccounts.enabled", true);
@@ -95,34 +93,36 @@ pref("privacy.clearOnShutdown.siteSettings", false);
 defaultPref("browser.sessionstore.resume_from_crash", false);
 
 // Click to play. https://wiki.mozilla.org/Media/block-autoplay
-//pref("media.autoplay.blocking_policy", 2);
+pref("media.autoplay.blocking_policy", 2);
 
 // No corporate CA MITM
-//defaultPref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
+defaultPref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
 
 // Decrease animations
 pref("image.animation_mode", "once");
 
 // Punycode
-//pref("network.IDN_show_punycode", true);
+pref("network.IDN_show_punycode", true);
 
 // Enforce reader mode enabling?
 pref("reader.parse-on-load.force-enabled", true);
 
 // TRR & ECH
+// WARNING: policies.json lock enforces mode 2. However it won't matter
+// since the system resolver is encrypted, right?
 // Mode 2 allows fallback to system resolver, 3 is TTR-only.
 //pref("network.trr.mode", 2);
-//defaultPref("network.trr.mode", 3);
-//pref("network.trr.early-AAAA", true);
+defaultPref("network.trr.mode", 3);
+pref("network.trr.early-AAAA", true);
 //defaultPref("network.trr.uri", "https://dns0.eu/");
-//defaultPref("network.trr.uri", "https://dns11.quad9.net/dns-query");
+defaultPref("network.trr.uri", "https://dns11.quad9.net/dns-query");
 //defaultPref("network.trr.uri", "https://dns.adguard-dns.com/dns-query");
 // NOTE: ECH requires TRR, so mode 2 may not use it.
-//defaultPref("network.trr.disable-ECS", false);
-//pref("network.dns.echconfig.enabled", true);
-//pref("network.dns.use_https_rr_as_altsvc", true);
-//pref("network.trr.exclude-etc-hosts", false);
-//pref("network.trr.excluded-domains", "http.badssl.com,norwegianwifi.com,mywifiext.net,tplinkrepeater.net,router.asus.com");
+defaultPref("network.trr.disable-ECS", false);
+pref("network.dns.echconfig.enabled", true);
+pref("network.dns.use_https_rr_as_altsvc", true);
+pref("network.trr.exclude-etc-hosts", false);
+pref("network.trr.excluded-domains", "http.badssl.com,norwegianwifi.com,mywifiext.net,tplinkrepeater.net,router.asus.com");
 
 // Default UI scale
 defaultPref("layout.css.devPixelsPerPx", "1.5");
@@ -136,7 +136,7 @@ pref("browser.cache.memory.enable", true);
 //pref("browser.startup.page", 1);
 // Simplified DDG experience without prompts for extension and all
 //pref("browser.startup.homepage", "https://start.duckduckgo.com");
-//defaultPref("browser.startup.homepage", "about:mozilla");
+defaultPref("browser.startup.homepage", "about:mozilla");
 
 // https://codeberg.org/librewolf/settings/src/branch/master/librewolf.cfg begins
 
@@ -146,7 +146,7 @@ pref("browser.cache.memory.enable", true);
 pref("privacy.userContext.enabled", true);
 pref("privacy.userContext.ui.enabled", true);
 
-//pref("browser.contentblocking.category", "strict");
+pref("browser.contentblocking.category", "strict");
 pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
 pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
 
@@ -173,7 +173,7 @@ pref("network.auth.subresource-http-auth-allow", 1); // block HTTP authenticatio
  * as a general rule, the behavior of referes which are not cross-origin should not
  * be changed.
  */
-//pref("network.http.referer.XOriginTrimmingPolicy", 2);
+pref("network.http.referer.XOriginTrimmingPolicy", 2);
 
 /** [SECTION] WEBRTC
  * there is no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
@@ -188,16 +188,16 @@ pref("network.proxy.socks_remote_dns", true); // forces dns query through the pr
 pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy when one is used
 
 /** [SECTION] DNS */
-//pref("network.dns.disablePrefetch", true); // disable dns prefetching
+pref("network.dns.disablePrefetch", true); // disable dns prefetching
 pref("network.dns.skipTRR-when-parental-control-enabled", false);  // Arkenfox user.js v117
 
 /** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
  * disable prefecthing for different things such as links, bookmarks and predictions.
  */
-//pref("network.predictor.enabled", false);
-//pref("network.prefetch-next", false);
-//pref("network.http.speculative-parallel-limit", 0);
-//pref("browser.places.speculativeConnect.enabled", false);
+pref("network.predictor.enabled", false);
+pref("network.prefetch-next", false);
+pref("network.http.speculative-parallel-limit", 0);
+pref("browser.places.speculativeConnect.enabled", false);
 // disable speculative connections and domain guessing from the urlbar
 pref("browser.urlbar.speculativeConnect.enabled", false);
 
@@ -226,7 +226,7 @@ pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
  * in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check.
  */
 pref("security.remote_settings.crlite_filters.enabled", true);
-//pref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
+pref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
 
 /** [SECTION] TLS/SSL */
 pref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
@@ -294,7 +294,7 @@ pref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu f
  * or media opened while other media is played will not start automatically.
  * thumbnails will not autoplay unless hovered. exceptions can be set from the UI.
  */
-//pref("media.autoplay.default", 5);
+pref("media.autoplay.default", 5);
 
 /** [SECTION] POP-UPS AND WINDOWS
  * prevent scripts from resizing existing windows and opening new ones, by forcing them into
@@ -386,11 +386,11 @@ pref("browser.newtabpage.activity-stream.default.sites", "");
 /** [SECTION] ABOUT
  * remove annoying ui elements from the about pages, including about:protections
  */
-//pref("browser.contentblocking.report.lockwise.enabled", false);
-//pref("browser.contentblocking.report.hide_vpn_banner", true);
-//pref("browser.contentblocking.report.vpn.enabled", false);
-//pref("browser.contentblocking.report.show_mobile_app", false);
-//pref("browser.vpn_promo.enabled", false);
+pref("browser.contentblocking.report.lockwise.enabled", false);
+pref("browser.contentblocking.report.hide_vpn_banner", true);
+pref("browser.contentblocking.report.vpn.enabled", false);
+pref("browser.contentblocking.report.show_mobile_app", false);
+pref("browser.vpn_promo.enabled", false);
 pref("browser.promo.focus.enabled", false);
 // ...about:addons recommendations sections and more
 pref("extensions.htmlaboutaddons.recommendations.enabled", false);
@@ -399,7 +399,7 @@ pref("lightweightThemes.getMoreURL", ""); // disable button to get more themes
 // ...about:preferences#home
 pref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button
 // ...and about:config
-//pref("browser.aboutConfig.showWarning", false);
+pref("browser.aboutConfig.showWarning", false);
 // hide about:preferences#moreFromMozilla
 pref("browser.preferences.moreFromMozilla", false);
 

etc/firefox/policies/README.md

@@ -13,14 +13,12 @@ per whatever I am doing.
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
 - [WARNING TO LIBREWOLF USERS](#warning-to-librewolf-users)
+- [WARNING TO TRR/ENCRYPTED DNS USERS!](#warning-to-trrencrypted-dns-users)
 - [Extensions](#extensions)
   - [Privacy Badger](#privacy-badger)
-    - [Duplicate](#duplicate)
 - [Search engines](#search-engines)
 - [Useful looking things for the future](#useful-looking-things-for-the-future)
   - [Certificate installations](#certificate-installations)
-- [Things that look useful, but aren't](#things-that-look-useful-but-arent)
-  - [WebSiteFilter](#websitefilter)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -33,6 +31,11 @@ This file takes priority over
 `/usr/share/librewolf/distribution/policies.json` so don't apply this or
 a lot of LibreWolf specific customizations stops being in force.
 
+## WARNING TO TRR/ENCRYPTED DNS USERS!
+
+If `policies.json` locks DNS over HTTPS, `trr.mode` gets locked into `2` which
+means fallback to system resolver.
+
 ## Extensions
 
 They are mostly self-explanatory.
@@ -49,18 +52,6 @@ See also:
 - https://github.com/EFForg/privacybadger/blob/master/doc/admin-deployment.md
 - https://github.com/EFForg/privacybadger/blob/master/src/data/schema.json
 
-#### Duplicate
-
-```diff
--      "jid1-MnnxcxisBPnSXQ-eff@jetpack": {
--        "install_url": "https://www.eff.org/files/privacy-badger-latest.xpi",
-+      "jid1-MnnxcxisBPnSXQ@jetpack": {
-+        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi",
-```
-
-The EFF.org version won't sync and if you sync with unmanaged computer, you
-will have two PrivacyBadgers. Congratulations?
-
 ## Search engines
 
 > Policy SearchEngines is only allowed on ESR.
@@ -82,24 +73,3 @@ In the `certificates` section
   "Install": ["my_certificate_here.pem"]
 }
 ```
-
-## Things that look useful, but aren't
-
-### WebSiteFilter
-
-```json
-{
-  "policies": {
-    "WebsiteFilter": {
-      "Block": ["<all_urls>"],
-      "Exceptions": ["http://example.org/*"]
-    }
-  }
-}
-```
-
-Ok, nice, but my policy is already forcing AdNauseam which enforces my
-blocklist which is more practical.
-
-Granted users can use private browsing mode to get past it, but I am not
-blocking actively malicious domains.

etc/firefox/policies/policies.json

@@ -41,7 +41,7 @@
             ]
           }
         },
-        "jid1-MnnxcxisBPnSXQ@jetpack": {
+        "jid1-MnnxcxisBPnSXQ-eff@jetpack": {
           "checkForDNTPolicy": true,
           "disabledSites": [
             "app.element.io",
@@ -67,10 +67,6 @@
         }
       }
     },
-    "BlockAboutAddons": false,
-    "BlockAboutConfig": false,
-    "BlockAboutProfiles": false,
-    "BlockAboutSupport": false,
     "Certificates": {
       "ImportEnterpriseRoots": false
     },
@@ -85,13 +81,8 @@
     },
     "DNSOverHTTPS": {
       "Enabled": true,
-      "ExcludedDomains": [
-        "http.badssl.com",
-        "norwegianwifi.com"
-      ],
-      "Fallback": false,
-      "Locked": false,
-      "ProviderURL": "https://dns.quad9.net/dns-query"
+      "Locked": true,
+      "ProviderURL": "https://dns11.quad9.net/dns-query"
     },
     "DisableEncryptedClientHello": false,
     "DisablePocket": true,
@@ -139,11 +130,7 @@
         "installation_mode": "normal_installed"
       },
       "jid1-MnnxcxisBPnSXQ-eff@jetpack": {
-        "blocked_install_message": "Kaksoiskappale samasta lisäosasta.",
-        "installation_mode": "blocked"
-      },
-      "jid1-MnnxcxisBPnSXQ@jetpack": {
-        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi",
+        "install_url": "https://www.eff.org/files/privacy-badger-latest.xpi",
         "installation_mode": "force_installed"
       },
       "peertube-companion@booteille": {
@@ -213,178 +200,15 @@
       "StartPage": "previous-session",
       "URL": "about:mozilla"
     },
-    "NetworkPrediction": false,
-    "NewTabPage": false,
     "OverrideFirstRunPage": "about:mozilla",
     "PDFjs": {
       "EnablePermissions": false,
       "Enabled": true
     },
     "Preferences": {
-      "browser.aboutConfig.showWarning": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": false
-      },
-      "browser.contentblocking.category": {
-        "Status": "locked",
-        "Type": "string",
-        "Value": "strict"
-      },
-      "browser.contentblocking.report.hide_vpn_banner": {
-        "Status": "default",
-        "Type": "boolean",
-        "Value": true
-      },
-      "browser.contentblocking.report.lockwise.enabled": {
-        "Status": "default",
-        "Type": "boolean",
-        "Value": false
-      },
-      "browser.contentblocking.report.show_mobile_app": {
-        "Status": "default",
-        "Type": "boolean",
-        "Value": false
-      },
-      "browser.contentblocking.report.vpn.enabled": {
-        "Status": "default",
-        "Type": "boolean",
-        "Value": false
-      },
-      "extensions.webextensions.restrictedDomains": {
-        "Status": "locked",
-        "Type": "string",
-        "Value": ""
-      },
-      "intl.accept_languages": {
-        "Status": "default",
-        "Type": "string",
-        "Value": "fi, en"
-      },
-      "layout.css.devPixelsPerPx": {
-        "Status": "default",
-        "Type": "string",
-        "Value": "1.5"
-      },
-      "media.autoplay.default": {
-        "Status": "default",
-        "Type": "number",
-        "Value": 5
-      },
-      "network.IDN_show_punycode": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "network.dns.echconfig.enabled": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "network.dns.use_https_rr_as_altsvc": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "network.http.referer.XOriginTrimmingPolicy": {
-        "Status": "default",
-        "Type": "number",
-        "Value": 2
-      },
-      "network.http.referer.defaultPolicy": {
-        "Status": "default",
-        "Type": "number",
-        "Value": 1
-      },
-      "network.http.speculative-parallel-limit": {
-        "Status": "locked",
-        "Type": "number",
-        "Value": 0
-      },
-      "network.predictor.enabled": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": false
-      },
-      "network.prefetch-next": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": false
-      },
-      "network.trr.disable-ECS": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "network.trr.display_fallback_warning": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "network.trr.early-AAAA": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "network.trr.exclude-etc-hosts": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": false
-      },
       "pdfjs.enableScripting": {
         "Status": "locked",
-        "Type": "boolean",
         "Value": false
-      },
-      "pdfjs.forcePageColors": {
-        "Status": "default",
-        "Type": "boolean",
-        "Value": true
-      },
-      "pdfjs.pageColorsBackground": {
-        "Status": "default",
-        "Type": "string",
-        "Value": "#000000"
-      },
-      "pdfjs.pageColorsForeground": {
-        "Status": "default",
-        "Type": "string",
-        "Value": "#ffb700"
-      },
-      "privacy.userContext.enabled": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "privacy.userContext.ui.enabled": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "security.OCSP.require": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "security.insecure_connection_text.enabled": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "security.insecure_connection_text.pbmode.enabled": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "security.ssl.enable_ocsp_stapling": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
-      },
-      "ui.systemUsesDarkTheme": {
-        "Status": "default",
-        "Type": "number",
-        "Value": 1
       }
     },
     "SearchEngines": {

etc/init-browser-policies.bash

@@ -3,12 +3,6 @@
 # their policies. The user is trusted to setup those manually.
 set -x
 
-# Require root or exit
-if [ "$(id -u)" != "0" ]; then
-	echo "This script requires root for managing /etc/" 1>&2
-	exit 1
-fi
-
 # Firefox and LibreWolf (caution! https://codeberg.org/librewolf/issues/issues/1767)
 mkdir -vp /etc/firefox/policies
 chmod -v a+rx /etc/firefox/
@@ -19,7 +13,6 @@ printf "WARNING! LibreWolf default profile may be masked!\nhttps://codeberg.org/
 
 # Firefox ESR
 ln -sfv /etc/firefox /etc/firefox-esr
-rm -fv /etc/firefox-esr/firefox-esr
 
 # Chromium
 mkdir -vp /etc/opt/chromium/policies/managed
@@ -29,15 +22,12 @@ chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/
 
 # Brave
 ln -sfv /etc/opt/chromium /etc/brave
-rm -fv /etc/brave/brave
 
 # Vivaldi
 ln -sfv /etc/opt/chromium /etc/chromium
-rm -fv /etc/chromium/chromium
 
 # Google Chrome
 ln -sfv /etc/opt/chromium /etc/opt/chrome
-rm -fv /etc/etc/opt/chrome/chrome
 
 # Microsoft Edge
 # NOTE! It breaks chrome:// URLs so the recommended policy apps as new tab page
@@ -46,7 +36,6 @@ rm -fv /etc/etc/opt/chrome/chrome
 #ln -sfv /etc/opt/chromium /etc/opt/edge
 mkdir -vp /etc/opt/edge/policies/recommended
 ln -sfv /etc/opt/chromium/policies/managed /etc/opt/edge/policies/managed
-rm -fv /etc/opt/edge/policies/managed/managed
 printf "WARNING! Edge recommended profiles are managed separately.\n"
 
 set +x

etc/samba/playstation2.conf

@@ -27,10 +27,8 @@ deadtime = 0
 keepalive = 60
 
 # All guides seem to use the name PS2SMB, and it may require manual typing
-# on the console.
-# REMEMBER! Like with Windows, the trailing $ makes the share unlisted, you
-# will need to enter it on the PS2 and other devices though!
-[PS2SMB$]
+# on the console
+[PS2SMB]
 Comment = PlayStation2 images
 # PS2 IP
 #hosts allow = 192.168.88.5

etc/unbound/unbound.conf.d/dns-over-tls.conf

@@ -12,6 +12,8 @@ server:
 # This list is for my travel laptop to have at least one DoT443 server
 # which seems to be applied-privacy.net. They advice having multiple DoT servers
 # for redundancy and as they don't filter, it's best I use other non-filtering ones.
+# Since then this expanded to include <https://www.privacyguides.org/en/dns/>.
+# just look at git blame...
 
 forward-zone:
 	name: "."
@@ -48,5 +50,26 @@ forward-zone:
 	forward-addr: 2620:fe::10@8853#dns10.quad9.net
 	forward-addr: 9.9.9.10@853#dns10.quad9.net
 	forward-addr: 9.9.9.10@8853#dns10.quad9.net
+	# Quad9 unfiltered, anycast, ECS, no DNSSEC (Unbound does that)
+	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
+	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
+	#forward-addr: 9.9.9.12@853#dns12.quad9.net
+	#forward-addr: 9.9.9.12@8853#dns12.quad9.net
+	#forward-addr: 2620:fe::12@853#dns12.quad9.net
+	#forward-addr: 2620:fe::12@8853#dns12.quad9.net
+	#forward-addr: 149.112.112.12@853#dns12.quad9.net
+	#forward-addr: 149.112.112.12@8853#dns12.quad9.net
+
+	# https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS
+	forward-addr: 193.110.81.254@853#open.dns0.eu
+	forward-addr: 185.253.5.254@853#open.dns0.eu
+	forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
+	forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
+
+	# Adguard DNS Unfiltered Anycast. Malta based. Private ECS.
+	forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dns64-over-tls.conf

@@ -4,7 +4,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
+	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-adguard.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
+	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-cloudflare.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
+	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-dns0-quad9.conf

@@ -28,9 +28,7 @@ forward-zone:
 	forward-addr: 193.110.81.0@853#dns0.eu
 	forward-addr: 185.253.5.0@853#dns0.eu
 ## Quad9 IPv6 Secure + ECS
-	forward-addr: 2620:fe::11@8853#dns11.quad9.net
 	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
 	forward-addr: 2620:fe::11@853#dns11.quad9.net
-	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
 
 # vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-dns0.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
+	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-mullvad.conf

@@ -1,7 +1,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
+	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes

etc/unbound/unbound.conf.d/dot-quad9.conf

@@ -5,7 +5,7 @@
 server:
 	# Debian ca-certificates location
 	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
+	# ctrl.blog says this is the Fedora location
 	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 	# Use system certificates no matter where they are
 	tls-system-cert: yes