etc/opt/chromium/policies/managed/doh-disabled.json

@@ -1,3 +0,0 @@
-{
-  "DnsOverHttpsMode": "off"
-}

etc/opt/chromium/policies/managed/doh-google.json

@@ -1,4 +0,0 @@
-{
-  "DnsOverHttpsMode": "automatic",
-  "DnsOverHttpsTemplates": "https://dns.google/dns-query"
-}

etc/unbound/unbound.conf.d/cache.conf

@@ -10,13 +10,11 @@ server:
 	rrset-cache-size: 50m
 	# nxdomain cache, default 1m
 	neg-cache-size: 10m
-	# Increases TTL of all queries to 900 seconds (5 minutes) if upstream has
-	# a lower one. I have been using this since August 2019 without issues.
-	#cache-min-ttl: 900
-	# https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
-	# dares setting the minimum cache to something between 40 minute and 60,
-	# so how about 50 minutes? However it predates RFC 8767.
-	cache-min-ttl: 3000
+	# Cache results for 15 minutes even if they had a shorter TTL. Cloudflare
+	# zone export used to have 1 second, and I have also been seeing 1
+	# minute in the wild, I think 5 mins shouldn't break anything, but bigger
+	# might.
+	cache-min-ttl: 900
 	# Update cache for popular items before they expire. ~10 % traffic
 	# increase according to `man unbound.conf`
 	prefetch: yes
@@ -25,16 +23,6 @@ server:
 	# Allow expired results to be served if they are in cache. The cache will
 	# get updated the next time.
 	serve-expired: yes
-	# Serve expired data up to one day (RFC 8767)
-	serve-expired-ttl: 86400
-	# If serving expired data to client, explicitly give it TTL 30 seconds
-	serve-expired-reply-ttl: 30
-	# Serve expired data to client if there is no answer in 1.8 seconds as per
-	# common timeout 2 seconds according to the RFC 8767
-	#serve-expired-client-timeout: 1800
-	# However my /etc/resolv.conf timeout is 1 second since all my nameservers
-	# are localhost, so let's wait 0.8 seconds instead.
-	serve-expired-client-timeout: 800
 	# DNSSEC errors for valid and expired records
 	ede: yes
 	ede-serve-expired: yes

etc/unbound/unbound.conf.d/dot-cloudflare.conf

@@ -1,34 +0,0 @@
-server:
-	# Debian ca-certificates location
-	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# ctrl.blog says this is the Fedora location
-	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-	# Use system certificates no matter where they are
-	tls-system-cert: yes
-	# Quad9 says pointless performance impact on forwarders.
-	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
-	qname-minimisation: no
-
-forward-zone:
-	name: "."
-	forward-tls-upstream: yes
-
-	# Default / unfiltered
-	#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
-	#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
-	#forward-addr: 1.1.1.1@853#cloudflare-dns.com
-	#forward-addr: 1.0.0.1@853#cloudflare-dns.com
-
-	# Malware blocking
-	forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
-	forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
-	forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
-	forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
-
-	# Malware and adult content blocking
-	#forward-addr: 2606:4700:4700::1113@853#family.cloudflare-dns.com
-	#forward-addr: 2606:4700:4700::1003@853#family.cloudflare-dns.com
-	#forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
-	#forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
-
-# vim: filetype=unbound.conf