unbound/conf.d: add vim modelines/filetypes

conf/librewolf.overrides.cfg

@@ -112,8 +112,9 @@ pref("reader.parse-on-load.force-enabled", true);
 //pref("network.trr.mode", 2);
 defaultPref("network.trr.mode", 3);
 pref("network.trr.early-AAAA", true);
-defaultPref("network.trr.uri", "https://dns0.eu");
-//pref("network.trr.uri", "https://dns.adguard-dns.com/dns-query");
+//defaultPref("network.trr.uri", "https://dns0.eu");
+defaultPref("network.trr.uri"), "https://dns11.quad9.net/dns-query");
+//defaultPref("network.trr.uri", "https://dns.adguard-dns.com/dns-query");
 // NOTE: ECH requires TRR, so mode 2 may not use it.
 defaultPref("network.trr.disable-ECS", false);
 pref("network.dns.echconfig.enabled", true);

etc/firefox/policies/policies.json

@@ -25,7 +25,7 @@
     "DNSOverHTTPS": {
       "Enabled": true,
       "Locked": false,
-      "ProviderURL": "https://dns0.eu"
+      "ProviderURL": "https://dns11.quad9.net/dns-query"
     },
     "DisablePocket": false,
     "EnableTrackingProtection": {

etc/opt/chromium/policies/managed/README.md

@@ -34,6 +34,7 @@
 - [`disable-brave-vpn.json`](#disable-brave-vpnjson)
 - [`disable-floc.json`](#disable-flocjson)
 - [`disable-incognito.json`](#disable-incognitojson)
+- [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
 - [`doh-allowed.json`](#doh-allowedjson)
 - [`doh-dns0.json`](#doh-dns0json)
 - [`doh-forced.json`](#doh-forcedjson)
@@ -233,6 +234,10 @@ Disables floc or ad topics that are against privacy.
 
 Disables incognito mode. I don't recommend this.
 
+## `doh-cloudflare-secure.json`
+
+Sets Cloudflare with malware protection as the DNS-over-HTTPS server.
+
 ## `doh-allowed.json`
 
 If no DNS over HTTPS policy is used, this unlocks the setting while still allowing downgrade to system DNS
@@ -240,6 +245,8 @@ If no DNS over HTTPS policy is used, this unlocks the setting while still allowi
 
 Incompatible with `doh-forced.json`. This must be used together with any other `doh-*.json` file, but only one of them.
 
+**_No ECH._**
+
 ## `doh-dns0.json`
 
 Simply enables DNS-over-HTTPS with DNS0.eu.
@@ -250,6 +257,8 @@ Enforces use of DNS-over-HTTPS disabling the downgrade.
 
 Incompatible with `doh-allowed.json`. Use this together with any other `doh-*.json` file, but only one of them.
 
+**_Required for ECH._**
+
 ## `doh-mullvad-base.json`
 
 Enables DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.

etc/opt/chromium/policies/managed/doh-cloudflare-secure.json

@@ -0,0 +1,3 @@
+{
+  "DnsOverHttpsTemplates": "https://security.cloudflare-dns.com/dns-query"
+}

etc/unbound/.gitignore

@@ -0,0 +1 @@
+conf.d

etc/unbound/conf.d

@@ -0,0 +1 @@
+unbound.conf.d

etc/unbound/unbound.conf.d/00-insecure-domains.conf

@@ -35,3 +35,5 @@ forward-zone:
 	name: "http.badssl.com"
 	forward-tls-upstream: no
 	forward-addr: 8.8.8.8
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/cache.conf

@@ -23,3 +23,5 @@ server:
 	# Allow expired results to be served if they are in cache. The cache will
 	# get updated the next time.
 	serve-expired: yes
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/debian-root-auto-trust-anchor-file.conf

@@ -4,3 +4,5 @@ server:
 	# The following line will configure unbound to perform cryptographic
 	# DNSSEC validation using the root trust anchor.
 	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dns-over-tls.conf

@@ -32,3 +32,5 @@ forward-zone:
 	forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
 	forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
 	forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dns64-over-tls.conf

@@ -27,3 +27,5 @@ forward-zone:
 	# Cloudflare for 64:ff9b::/96
 	forward-addr: 2606:4700:4700::64@853#dns64.cloudflare-dns.com
 	forward-addr: 2606:4700:4700::6400@853#dns64.cloudflare-dns.com
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dnscrypt-proxy.conf

@@ -3,3 +3,5 @@ do-not-query-localhost: no
 forward-zone:
 	name: "."
 	forward-addr: 127.0.2.1@53
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-adguard.conf

@@ -18,3 +18,5 @@ forward-zone:
 	forward-addr: 94.140.15.15@853#dns.adguard.com
 
 # Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-dns0-quad9.conf

@@ -56,3 +56,5 @@ forward-zone:
 	#forward-addr: 9.9.9.12@853#dns12.quad9.net
 	#forward-addr: 2620:fe::12@853#dns12.quad9.net
 	#forward-addr: 149.112.112.12@853#dns12.quad9.net
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-dns0.conf

@@ -27,3 +27,5 @@ forward-zone:
 	# forward-addr: 193.110.81.9@853#zero.dns0.eu
 	# forward-addr: 2a0f:fc81::9@853#zero.dns0.eu
 	# forward-addr: 185.253.5.9@853#zero.dns0.eu
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-fluhable-cache.conf

@@ -29,3 +29,5 @@ forward-zone:
 	forward-addr: 8.8.4.4@853#dns.google
 	forward-addr: 2001:4860:4860::8888@853#dns.google
 	forward-addr: 2001:4860:4860::8844@853#dns.google
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-quad9.conf

@@ -32,3 +32,5 @@ forward-zone:
 	#forward-addr: 9.9.9.12@853#dns12.quad9.net
 	#forward-addr: 2620:fe::12@853#dns12.quad9.net
 	#forward-addr: 149.112.112.12@853#dns12.quad9.net
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/local-tlds.conf

@@ -4,3 +4,5 @@ server:
 local-zone: "local." static
 local-zone: "internal." static
 local-zone: "invalid." static
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/logging.conf

@@ -8,3 +8,5 @@ server:
 	verbosity: 2
 	# Print statistics to the log hourly
 	statistics-interval: 3600
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/nordvpn.conf

@@ -16,3 +16,5 @@ forward-zone:
 	forward-addr: 2a0f:fc81::ffff
 	forward-addr: 193.110.81.254
 	forward-addr: 185.253.5.254
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/plain-dns64.conf

@@ -18,3 +18,5 @@ forward-zone:
 	# Google DNS64 for 64:ff9b::/96 (reserved NAT64 space)
 	#forward-addr: 2001:4860:4860::6464
 	#forward-addr: 2001:4860:4860::64
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/prefer-ipv6.conf

@@ -1,3 +1,5 @@
 server:
 	# Prefer IPv6 transport for sending DNS queries to internet nameservers.
 	prefer-ip6: yes
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/threads.conf

@@ -2,3 +2,5 @@ server:
 	# Use two threads, I think more than 1 threads will help with Firefox
 	# at times telling name resolution failed
 	num-threads: 2
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/unbound-control.conf

@@ -23,3 +23,5 @@ control-key-file: "/etc/unbound/unbound_control.key"
 
 # unbound-control certificate file.
 control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# vim: filetype=unbound.conf