2025-08-20 05:07:34 +02:00
17 changed files with 39 additions and 43 deletions
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@ -37,8 +37,9 @@
 - [`disable-floc.json`](#disable-flocjson)
 - [`disable-incognito.json`](#disable-incognitojson)
 - [`doh-cloudflare-secure.json`](#doh-cloudflare-securejson)
- [`doh-unlocked-unset.json`](#doh-unlocked-unsetjson)
+- [`doh-allowed.json`](#doh-allowedjson)
 - [`doh-dns0.json`](#doh-dns0json)
+- [`doh-forced.json`](#doh-forcedjson)
 - [`doh-mullvad-base.json`](#doh-mullvad-basejson)
 - [`doh-quad9-ecs.json`](#doh-quad9-ecsjson)
 - [`doh-quad9-insecure-ecs.json`](#doh-quad9-insecure-ecsjson)
@ -253,51 +254,58 @@ Disables incognito mode. I don't recommend this.

 ## `doh-cloudflare-secure.json`

-Sets Cloudflare with malware protection as the forced DNS-over-HTTPS server.
+Sets Cloudflare with malware protection as the DNS-over-HTTPS server.

-## `doh-unlocked-unset.json`
+## `doh-allowed.json`

-If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
+If no DNS over HTTPS policy is used, this unlocks the setting while still allowing downgrade to system DNS
+(think of DoT opportunistic mode, kind of?). Enabling managed policies disable it by default.

-Incompatible with other `doh-*.json` file, because they set `"DnsOverHttpsMode": "secure",`.
+Incompatible with `doh-forced.json`. This must be used together with any other `doh-*.json` file, but only one of them.

-**_This also causes there to not be ECH._**
+**_No ECH._**

 ## `doh-dns0.json`

-Simply forces DNS-over-HTTPS with DNS0.eu.
+Simply enables DNS-over-HTTPS with DNS0.eu.
+
+## `doh-forced.json`
+
+Enforces use of DNS-over-HTTPS disabling the downgrade.
+
+Incompatible with `doh-allowed.json`. Use this together with any other `doh-*.json` file, but only one of them.
+
+**_Required for ECH._**

 ## `doh-mullvad-base.json`

-Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
+Enables DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.

 - https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications

 ## `doh-quad9-ecs.json`

-Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
+Enables DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
 their alternative port.

 ## `doh-quad9-insecure-ecs.json`

-Forces DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
+Enables DNS over HTTPS with Quad9 ECS enabled unfiltered server and also contains
 their alternative port. **No DNSSEC either.**

 ## `doh-quad9-insecure.json`

-Forces DNS over HTTPS with Quad9 unfiltered server and also contains
+Enables DNS over HTTPS with Quad9 unfiltered server and also contains
 their alternative port. **No DNSSEC either.**

 ## `doh-quad9.json`

-Forces DNS over HTTPS with Quad9 threat-blocking server and also contains
+Enables DNS over HTTPS with Quad9 threat-blocking server and also contains
 their alternative port.

 ## `enable-ech-ocsp.json`

-Enables encrypted client hello (ECH) and Online Certificate Status Protocol (OCSP) (or Certificate Revocation List (CRL)?) checks.
-
-However ECH seems to require `"DnsOverHttpsMode": "secure"` from the `doh-*` files and OCSP seems to bypass that going to the system resolver.
+Enables encrypted client hello and OCSP (or CRL?) checks.

 ## `enable-labs.json`

--- a/etc/opt/chromium/policies/managed/doh-unlocked-unset.json
+++ b/etc/opt/chromium/policies/managed/doh-unlocked-unset.json
--- a/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
+++ b/etc/opt/chromium/policies/managed/doh-cloudflare-secure.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://security.cloudflare-dns.com/dns-query"
 }
--- a/etc/opt/chromium/policies/managed/doh-dns0-kids.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0-kids.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://kids.dns0.eu/"
 }
--- a/etc/opt/chromium/policies/managed/doh-dns0-open.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0-open.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://open.dns0.eu/"
 }
--- a/etc/opt/chromium/policies/managed/doh-dns0-zero.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0-zero.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://zero.dns0.eu/"
 }
--- a/etc/opt/chromium/policies/managed/doh-dns0.json
+++ b/etc/opt/chromium/policies/managed/doh-dns0.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://dns0.eu/"
 }
--- a/etc/opt/chromium/policies/managed/doh-forced.json
+++ b/etc/opt/chromium/policies/managed/doh-forced.json
@ -0,0 +1,3 @@
+{
+  "DnsOverHttpsMode": "secure"
+}
--- a/etc/opt/chromium/policies/managed/doh-mullvad-base.json
+++ b/etc/opt/chromium/policies/managed/doh-mullvad-base.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://base.dns.mullvad.net/dns-query"
 }
--- a/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9-ecs.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://dns11.quad9.net/dns-query https://dns11.quad9.net:5053/dns-query"
 }
--- a/etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9-insecure-ecs.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://dns12.quad9.net/dns-query https://dns12.quad9.net:5053/dns-query"
 }
--- a/etc/opt/chromium/policies/managed/doh-quad9-insecure.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9-insecure.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://dns10.quad9.net/dns-query https://dns10.quad9.net:5053/dns-query"
 }
--- a/etc/opt/chromium/policies/managed/doh-quad9.json
+++ b/etc/opt/chromium/policies/managed/doh-quad9.json
@ -1,4 +1,3 @@
 {
-  "DnsOverHttpsMode": "secure",
  "DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
 }
--- a/etc/systemd/resolved.conf.d/.gitignore
+++ b/etc/systemd/resolved.conf.d/.gitignore
@ -1 +0,0 @@
-dot-trex.conf
--- a/etc/systemd/resolved.conf.d/dot-quad9.conf
+++ b/etc/systemd/resolved.conf.d/dot-quad9.conf
@ -1,6 +1,3 @@
-# https://docs.quad9.net/services/
-# https://www.trex.fi/service/resolvers.html - says they don't provide
-# encryption, but host a Quad9 node and giving these addresses instead.
 [Resolve]
 # Secure
 DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
--- a/etc/systemd/resolved.conf.d/dot-trex.conf
+++ b/etc/systemd/resolved.conf.d/dot-trex.conf
@ -1 +0,0 @@
-dot-quad9.conf
--- a/etc/unbound/unbound.conf.d/dot-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-quad9.conf
@ -18,39 +18,39 @@ forward-zone:
 	forward-tls-upstream: yes
 	## Secure
 	forward-addr: 2620:fe::fe@853#dns.quad9.net
-	forward-addr: 2620:fe::fe@8853#dns.quad9.net
-	forward-addr: 2620:fe::9@853#dns.quad9.net
-	forward-addr: 2620:fe::9@8853#dns.quad9.net
 	forward-addr: 9.9.9.9@853#dns.quad9.net
-	forward-addr: 9.9.9.9@8853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
 	forward-addr: 149.112.112.112@853#dns.quad9.net
+	forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	forward-addr: 9.9.9.9@8853#dns.quad9.net
+	forward-addr: 2620:fe::9@8853#dns.quad9.net
 	forward-addr: 149.112.112.112@8853#dns.quad9.net
 	## No Threat Blocking
 	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
 	#forward-addr: 149.112.112.10@853#dns10.quad9.net
-	#forward-addr: 149.112.112.10@8853#dns10.quad9.net
 	#forward-addr: 2620:fe::10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::10@8853#dns10.quad9.net
 	#forward-addr: 9.9.9.10@853#dns10.quad9.net
+	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
+	#forward-addr: 149.112.112.10@8853#dns10.quad9.net
+	#forward-addr: 2620:fe::10@8853#dns10.quad9.net
 	#forward-addr: 9.9.9.10@8853#dns10.quad9.net
 	## Secure + ECS
 	#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
 	#forward-addr: 9.9.9.11@853#dns11.quad9.net
-	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
 	#forward-addr: 2620:fe::11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
 	#forward-addr: 149.112.112.11@853#dns11.quad9.net
+	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
 	#forward-addr: 149.112.112.11@8853#dns11.quad9.net
 	## No Threat Blocking + ECS
 	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
-	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
 	#forward-addr: 9.9.9.12@853#dns12.quad9.net
-	#forward-addr: 9.9.9.12@8853#dns12.quad9.net
 	#forward-addr: 2620:fe::12@853#dns12.quad9.net
-	#forward-addr: 2620:fe::12@8853#dns12.quad9.net
 	#forward-addr: 149.112.112.12@853#dns12.quad9.net
+	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
+	#forward-addr: 9.9.9.12@8853#dns12.quad9.net
+	#forward-addr: 2620:fe::12@8853#dns12.quad9.net
 	#forward-addr: 149.112.112.12@8853#dns12.quad9.net

 # vim: filetype=unbound.conf