Mikaela
/
shell-things
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: Mikaela:c90b551ac4bc3cba387dc510bebbff23b50623b2
Branches Tags
Mikaela:master
...
compare: Mikaela:44b6e5b61810e4d65c372693a4433983bb2901a7
Branches Tags
Mikaela:master

11 Commits
c90b551ac4 ... 44b6e5b618

Author SHA1 Message Date
Aminda Suomalainen 44b6e5b618
systemd-networkd: add DNSSEC & DNSOverTLS & search domains 2024-04-22 12:25:25 +03:00
Aminda Suomalainen 945ca0462d
Revert "systemd-networkd: attempt to deduplicate by cutting into 10-global.network" 
This reverts commit 19b6fbef3c.
 2024-04-22 12:21:56 +03:00
Aminda Suomalainen 06787a38de
resolved/00-no-local-resolver.conf: comment local resolver since I break DNSSEC 2024-04-22 12:14:34 +03:00
Aminda Suomalainen 19b6fbef3c
systemd-networkd: attempt to deduplicate by cutting into 10-global.network 2024-04-22 12:07:39 +03:00
Aminda Suomalainen aac3ccdec3
unbound/well-known-dns.conf: add CNAMEs one.one.one.one & dns.google.com 2024-04-22 11:26:46 +03:00
Aminda Suomalainen dc6fc85174
chromium: exclude bittimittari.fi 2024-04-22 10:09:28 +03:00
Aminda Suomalainen fe1970cfd9
chromium: add brave IPFS disabling policy 
IPFS is known for killing routers and having it on two machines while trying to VoIP with a lot of people, it gets a bit too heavy
 2024-04-22 10:03:53 +03:00
Aminda Suomalainen abd21e008a
well-known-dns.conf: typetransparent subdomains just in case 
Theoretically the higher level domain affects them too, but in practice I am unsure and I have previously only used always_reject for google-analytics & subdomains blocking. It at least isn't causing warnings or errors.
 2024-04-22 07:42:53 +03:00
Aminda Suomalainen 579e98f27c
unbound/well-known-dns.conf: use typetransparent so non-local queries won't get NODATA 2024-04-22 07:28:55 +03:00
Aminda Suomalainen 623a9150fd
unbound: merge 00-insecure-domains.conf into blocklist.conf 2024-04-22 07:10:18 +03:00
Aminda Suomalainen 892feb3c1b
unbound/blocklist: add fritz.box. 2024-04-22 07:06:21 +03:00
9 changed files with 62 additions and 41 deletions
Show Stats Expand all files Collapse all files

3
etc/opt/chromium/policies/managed/aminda-extensions.json
View File

@ -10,7 +10,8 @@
"chat.pikaviestin.fi",
"webchat.disroot.org",
"learn.microsoft.com",
"teams.microsoft.com"
"teams.microsoft.com",
"bittimittari.fi"
],
"learnInIncognito": true,
"learnLocally": true,

5
etc/opt/chromium/policies/managed/brave-shields-disabled.json
View File

@ -7,7 +7,8 @@
"https://webchat.disroot.org",
"https://learn.microsoft.com",
"https://teams.microsoft.com",
"https://glowing-bear.org/",
"https://latest.glowing-bear.org/"
"https://glowing-bear.org",
"https://latest.glowing-bear.org",
"https://bittimittari.fi"
]
}

3
etc/opt/chromium/policies/managed/disable-brave-ipfs.json Normal file
View File

@ -0,0 +1,3 @@
{
"IPFSEnabled": false
}

6
etc/systemd/network/10-ether.network
View File

@ -28,6 +28,12 @@ IPv6LinkLocalAddressGenerationMode=stable-privacy
#DNS=127.0.0.1
#DNS=::1
#DNS=8.8.4.4
#DNSSEC=true
#DNSSEC=allow-downgrade
#DNSOverTLS=true
#DNSOverTLS=opportunistic
# Search domains
Domains=.
# Enable systemd-timesyncd with `timedatectl set-ntp true`, may be specified
# multiple times, but you are using Chrony instead, right?
#NTP=fi.pool.ntp.org

7
etc/systemd/network/10-wlan.network
View File

@ -23,3 +23,10 @@ IPv6LinkLocalAddressGenerationMode=stable-privacy
MulticastDNS=true
# Windows
LLMNR=true
# systemd-resolved configuration
#DNSSEC=true
#DNSSEC=allow-downgrade
#DNSOverTLS=true
#DNSOverTLS=opportunistic
# Search domains
Domains=.

6
etc/systemd/resolved.conf.d/00-no-local-resolver.conf
View File

@ -1,5 +1,5 @@
[Resolve]
# Use this together with other files other than 00-only-unbound.conf!
# Use this together with other files other than 00-only-local-resolver.conf!
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
#DNSSEC=allow-downgrade
# Regardless of the above DNS breaking issues when DNSSEC is
@ -8,8 +8,8 @@
DNSSEC=true
DNSOverTLS=opportunistic
Cache=true
DNS=127.0.0.1
DNS=::1
#DNS=127.0.0.1
#DNS=::1
Domains=~.
# .local domains
MulticastDNS=true

35
etc/unbound/unbound.conf.d/00-insecure-domains.conf
View File

@ -1,35 +0,0 @@
# Domains to be sent through plaintext DNS for getting hijacked by devices
# that tend to cause headache.
# Uses Google DNS, because I don't use it for anything else and don't plan
# to for the foreseeable future, so it is easier to spot from logs.
# Is it secure? Google likely also knows I have these devices on my network
# thanks to Android.
server:
forward-zone:
name: "mywifiext.net"
forward-tls-upstream: no
forward-addr: 8.8.8.8
forward-zone:
name: "tplinkrepeater.net"
forward-tls-upstream: no
forward-addr: 8.8.8.8
forward-zone:
name: "router.asus.com"
forward-tls-upstream: no
forward-addr: 8.8.8.8
forward-zone:
name: "norwegianwifi.com"
forward-tls-upstream: no
forward-addr: 8.8.8.8
# Can I refer to subdomain as a zone?
forward-zone:
name: "http.badssl.com"
forward-tls-upstream: no
forward-addr: 8.8.8.8
# vim: filetype=unbound.conf

20
etc/unbound/unbound.conf.d/blocklist.conf
View File

@ -16,3 +16,23 @@ local-zone: "matrix.to." always_refuse
# A lot of apps integrating Facebook in any form on mobile call this domain
# in particular, likely websites too.
local-zone: "graph.facebook.com." always_refuse
## APPLIANCE/CAPTIVE PORTAL DOMAINS
# Search these through host or dig to another server instead!
# Fritz router/modem default search domain and control panel.
local-zone: "fritz.box." always_refuse
# Netgear
local-zone: "mywifiext.net." always_refuse
# TP-Link
local-zone: "tplinkrepeater.net." always_refuse
# ASUS
local-zone: "router.asus.com." always_refuse
# Norwegian planes
local-zone: "norwegianwifi.com." always_refuse
# vim: filetype=unbound.conf

18
etc/unbound/unbound.conf.d/well-known-dns.conf
View File

@ -2,69 +2,87 @@
# to send queries, even if they are queried by web browser.
server:
# Quad9 Secure
local-zone: "dns.quad9.net." typetransparent
local-data: "dns.quad9.net. A 9.9.9.9"
local-data: "dns.quad9.net. A 149.112.112.112"
local-data: "dns.quad9.net. AAAA 2620:fe::fe"
local-data: "dns.quad9.net. AAAA 2620:fe::9"
# Quad9 No Threat Blocking
local-zone: "dns10.quad9.net." typetransparent
local-data: "dns10.quad9.net. A 9.9.9.10"
local-data: "dns10.quad9.net. A 149.112.112.10"
local-data: "dns10.quad9.net. AAAA 2620:fe::10"
local-data: "dns10.quad9.net. AAAA 2620:fe::fe:10"
# Quad9 Secure + ECS
local-zone: "dns11.quad9.net." typetransparent
local-data: "dns11.quad9.net. A 9.9.9.11"
local-data: "dns11.quad9.net. A 149.112.112.11"
local-data: "dns11.quad9.net. AAAA 2620:fe::11"
local-data: "dns11.quad9.net. AAAA 2620:fe::fe:11"
# Quad9 No Threat Blocking + ECS
local-zone: "dns12.quad9.net." typetransparent
local-data: "dns12.quad9.net. A 9.9.9.12"
local-data: "dns12.quad9.net. A 149.112.112.12"
local-data: "dns12.quad9.net. AAAA 2620:fe::12"
local-data: "dns12.quad9.net. AAAA 2620:fe::fe:12"
# DNS0 default
local-zone: "dns0.eu." typetransparent
local-data: "dns0.eu. A 193.110.81.0"
local-data: "dns0.eu. A 185.253.5.0"
local-data: "dns0.eu. AAAA 2a0f:fc80::"
local-data: "dns0.eu. AAAA 2a0f:fc81::"
# DNS0 Zero
local-zone: "zero.dns0.eu." typetransparent
local-data: "zero.dns0.eu. A 193.110.81.9"
local-data: "zero.dns0.eu. A 185.253.5.9"
local-data: "zero.dns0.eu. AAAA 2a0f:fc80::9"
local-data: "zero.dns0.eu. AAAA 2a0f:fc81::9"
# DNS0 Kids
local-zone: "kids.dns0.eu." typetransparent
local-data: "kids.dns0.eu. A 193.110.81.1"
local-data: "kids.dns0.eu. A 185.253.5.1"
local-data: "kids.dns0.eu. AAAA 2a0f:fc80::1"
local-data: "kids.dns0.eu. AAAA 2a0f:fc81::1"
# DNS0 Open
local-zone: "open.dns0.eu." typetransparent
local-data: "open.dns0.eu. A 193.110.81.254"
local-data: "open.dns0.eu. A 185.253.5.254"
local-data: "open.dns0.eu. AAAA 2a0f:fc80::ffff"
local-data: "open.dns0.eu. AAAA 2a0f:fc81::ffff"
# Cloudflare
local-zone: "cloudflare-dns.com." typetransparent
local-data: "cloudflare-dns.com. A 1.1.1.1"
local-data: "cloudflare-dns.com. A 1.0.0.1"
local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1111"
local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1001"
local-zone: "one.one.one.one." typetransparent
local-data: "one.one.one.one. CNAME cloudflare-dns.com."
# Cloudflare Malware blocking
local-zone: "security.cloudflare-dns.com." typetransparent
local-data: "security.cloudflare-dns.com. A 1.1.1.2"
local-data: "security.cloudflare-dns.com. A 1.0.0.2"
local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1112"
local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1002"
# Mullvad ad, tracker & malware block
local-zone: "base.dns.mullvad.net." typetransparent
local-data: "base.dns.mullvad.net. A 194.242.2.4"
local-data: "base.dns.mullvad.net. AAAA 2a07:e340::4"
# AdGuard Default
local-zone: "dns.adguard-dns.com." typetransparent
local-data: "dns.adguard-dns.com. A 94.140.14.14"
local-data: "dns.adguard-dns.com. A 94.140.15.15"
local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad1:ff"
local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad2:ff"
# Google DNS
local-zone: "dns.google." typetransparent
local-data: "dns.google. A 8.8.8.8"
local-data: "dns.google. A 8.8.4.4"
local-data: "dns.google. AAAA 2001:4860:4860::8888"
local-data: "dns.google. AAAA 2001:4860:4860::8844"
local-zone: "dns.google.com." typetransparent
local-data: "dns.google.com. CNAME dns.google."
# Google DNS64
local-zone: "dns64.dns.google." typetransparent
local-data: "dns64.dns.google. AAAA 2001:4860:4860::6464"
local-data: "dns64.dns.google. AAAA 2001:4860:4860::64"