etc/hosts/blocklist: use only ::1, systemd-resolved will fix it automatically to 127.0.0.1 too

Although in systemd-resolved.conf everything is already implied

etc/NetworkManager-resolv.conf-restore.bash

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -x
+
+# I learned that not only systemd-resolved does this, but NetworkManager as
+# well. I think it's even less likely I use this than the systemd-resolved
+# one, but anyway
+
+# I know there are old versions that used something else, but I don't remember
+# that name and they are ancient.
+if ! hash nmcli 2>/dev/null; then
+	echo "You don't seem to have NetworkManager (or nmcli) installed." 1>&2
+	exit 1
+fi
+
+# Require root or exit
+if [ "$(id -u)" != "0" ]; then
+	echo "This script requires root." 1>&2
+	exit 1
+fi
+
+# It's pointless to make a dead symlink as it must be running
+systemctl enable --now NetworkManager.service
+
+# In case I am behind the /etc/resolv.conf, it's immutable and read-only,
+# which won't allow it to be rewritten.
+chattr -V -i /etc/resolv.conf
+chmod -v +w /etc/resolv.conf
+
+# It must be removed if it's not a symlink
+rm -v /etc/resolv.conf
+
+# and finally making the symlink
+ln -sfv /var/run/NetworkManager/resolv.conf /etc/resolv.conf
+
+# Let's just see it's ok
+ls -l /etc/resolv.conf
+cat /etc/resolv.conf
+
+set +x

etc/NetworkManager/conf.d/.gitignore

@@ -1,2 +1 @@
-dns-none.conf
 no-resolvconf.conf

etc/NetworkManager/conf.d/connectivity.conf

@@ -8,3 +8,5 @@ interval=100
 # sudo apt install network-manager-config-connectivity-debian
 # for /usr/lib/NetworkManager/conf.d/20-connectivity-debian.conf
 # (http://network-test.debian.org/nm without interval)
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/dns-none.conf

@@ -1 +0,0 @@
-paws-off-my-resolv.conf

etc/NetworkManager/conf.d/dns-none.conf

@@ -0,0 +1,8 @@
+[main]
+# No managing DNS, no managing resolv.conf (implied made explicit here) and
+# don't push data to systemd-resolved either.
+dns=none
+rc-manager=unmanaged
+systemd-resolved=false
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/ipv6privacy.conf

@@ -2,3 +2,5 @@
 [connection]
 # Enable IPv6 privacy extensions, but this doesn't seem to work.
 ipv6.ip6-privacy=2
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/iwd.conf

@@ -9,3 +9,5 @@
 [device]
 wifi.backend=iwd
 wifi.iwd.autoconnect=true
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/keyfile.conf

@@ -2,3 +2,5 @@
 # Disable misbehaving NIC
 #unmanaged-devices=mac:xx:xx:xx:xx:xx:xx
 #hostname=HOSTNAME_TO_SEND_TO_DHCPD
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/manage-ifupdown.conf

@@ -1,3 +1,5 @@
 # Brings /etc/network/interfaces(.d/*) under control of NetworkManager
 [ifupdown]
 managed=true
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/mdns.conf

@@ -2,3 +2,5 @@
 [connection]
 connection.mdns=2
 connection.llmnr=2
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/no-mac-randomizing.conf

@@ -2,3 +2,5 @@
 # network.
 [device]
 wifi.scan-rand-mac-address=no
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/no-search-domains.conf

@@ -1,4 +1,8 @@
 # This should stop search domains from being used and potentially leaking
 # queries to search domain DNS server when they fail
 [global-dns]
-searches=
+#searches=
+# I am doubtful of the above being enough
+searches=.
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/no-systemd-resolved.conf

@@ -0,0 +1,6 @@
+[main]
+# Don't tell systemd-resolved DNS information aquired from DHCP.
+systemd-resolved=false
+# NOTE! This file doesn't comment on how resolv.conf (rc) is managed
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/paws-off-my-resolv.conf

@@ -1,2 +1,8 @@
 [main]
-dns=none
+# dns=none would disable all DNS management by NetworkManager, while the goal
+# here is to just not touch my resolv.conf. This implies NetworkManager may
+# still send data to systemd-resolved.
+#dns=none
+rc-manager=unmanaged
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/systemd-resolved.conf

@@ -1,2 +1,10 @@
 [main]
+# Send data to systemd-resolved
 dns=systemd-resolved
+# Even if I use systemd-resolved, I don't want NetworkManager to touch my
+# resolv.conf
+rc-manager=none
+# Implied, but made explicit
+systemd-resolved=true
+
+# vim: filetype=NetworkManager.conf

etc/NetworkManager/conf.d/unbound.conf

@@ -3,3 +3,5 @@
 # again seems to expect unbound-control-setup to be done/enabled
 [main]
 dns=unbound
+
+# vim: filetype=NetworkManager.conf

etc/hosts/blocklist

@@ -1,14 +1,14 @@
 #
 ##### BEGIN AMINDA BLOCKLIST #####
 
+# NOTE! systemd-resolved will automatically make ::1 also 127.0.0.1
+
 # Facebook API that a lot of things call, will break things for Facebook
 # users, so don't apply on hosts those use
-:: graph.facebook.com
+::1 graph.facebook.com
-0.0.0.0 graph.facebook.com
 
 # Unnecessary service for Matrix rooms. I was dared to block it.
-:: matrix.to www.matrix.to
+::1 matrix.to www.matrix.to
-0.0.0.0 matrix.to www.matrix.to
 
 ##### END AMINDA BLOCKLIST #####
 #

etc/hosts/dns

@@ -3,11 +3,11 @@
 
 # Well known DNS servers to be appended to /etc/hosts
 
-# Quad 9 Secure
+# Quad 9 Recommended (Secure)
-9.9.9.9 dns.quad9.net
+9.9.9.9 dns.quad9.net dns9.quad9.net
-149.112.112.112 dns.quad9.net
+149.112.112.112 dns.quad9.net dns9.quad9.net
-2620:fe::fe dns.quad9.net
+2620:fe::fe dns.quad9.net dns9.quad9.net
-2620:fe::9 dns.quad9.net
+2620:fe::9 dns.quad9.net dns9.quad9.net
 
 # Quad9 No Threat Blocking
 9.9.9.10 dns10.quad9.net
@@ -30,26 +30,50 @@
 # DNS0 default
 193.110.81.0 dns0.eu
 185.253.5.0 dns0.eu
-2a0f:fc80:: dns0.eu
+# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
-2a0f:fc81:: dns0.eu
+# other side of the country at best and different country at worst. Thus
+# attempt to make everything only use it for IPv4 (browser fallback is system
+# resolver which does IPv6 if IPv4 breaks, even if ECH will break).
+#2a0f:fc80:: dns0.eu
+#2a0f:fc81:: dns0.eu
+::ffff:193.110.81.0 dns0.eu
+::ffff:185.253.5.0 dns0.eu
 
 # DNS0 Zero
 193.110.81.9 zero.dns0.eu
 185.253.5.9 zero.dns0.eu
-2a0f:fc80::9 zero.dns0.eu
+# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
-2a0f:fc81::9 zero.dns0.eu
+# other side of the country at best and different country at worst. Thus
+# attempt to make everything only use it for IPv4 (browser fallback is system
+# resolver which does IPv6 if IPv4 breaks, even if ECH will break).
+#2a0f:fc80::9 zero.dns0.eu
+#2a0f:fc81::9 zero.dns0.eu
+::ffff:193.110.81.9 zero.dns0.eu
+::ffff:185.253.5.9 zero.dns0.eu
 
 # DNS0 Kids
 193.110.81.1 kids.dns0.eu
 185.253.5.1 kids.dns0.eu
-2a0f:fc80::1 kids.dns0.eu
+# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
-2a0f:fc81::1 kids.dns0.eu
+# other side of the country at best and different country at worst. Thus
+# attempt to make everything only use it for IPv4 (browser fallback is system
+# resolver which does IPv6 if IPv4 breaks, even if ECH will break).
+#2a0f:fc80::1 kids.dns0.eu
+#2a0f:fc81::1 kids.dns0.eu
+::ffff:193.110.81.1 kids.dns0.eu
+::ffff:185.253.5.1 kids.dns0.eu
 
 # DNS0 Open
 193.110.81.254 open.dns0.eu
 185.253.5.254 open.dns0.eu
-2a0f:fc80::ffff open.dns0.eu
+# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
-2a0f:fc81::ffff open.dns0.eu
+# other side of the country at best and different country at worst. Thus
+# attempt to make everything only use it for IPv4 (browser fallback is system
+# resolver which does IPv6 if IPv4 breaks, even if ECH will break).
+#2a0f:fc80::ffff open.dns0.eu
+#2a0f:fc81::ffff open.dns0.eu
+::ffff:193.110.81.254 open.dns0.eu
+::ffff:185.253.5.254 open.dns0.eu
 
 # Cloudflare
 1.1.1.1 cloudflare-dns.com one.one.one.one
@@ -69,8 +93,14 @@
 # AdGuard Default
 94.140.14.14 dns.adguard-dns.com
 94.140.15.15 dns.adguard-dns.com
-2a10:50c0::ad1:ff dns.adguard-dns.com
+# Uses private ECS, which gets inaccurate with IPv6 directing traffic to
-2a10:50c0::ad2:ff dns.adguard-dns.com
+# other side of the country at best and different country at worst. Thus
+# attempt to make everything only use it for IPv4 (browser fallback is system
+# resolver which does IPv6 if IPv4 breaks, even if ECH will break).
+#2a10:50c0::ad1:ff dns.adguard-dns.com
+#2a10:50c0::ad2:ff dns.adguard-dns.com
+::ffff:94.140.14.14 dns.adguard-dns.com
+::ffff:94.140.15.15 dns.adguard-dns.com
 
 # Google DNS
 8.8.8.8 dns.google dns.google.com