systemd-resolved: think more on local resolvers or not

unbound/dot-*quad9.conf: add DNS10 & DNS12 (commented), remove extra spaces
systemd-resolved/dot-quad9.conf: add commented DNS10 & DNS12
2025-08-19 12:47:27 +02:00 · 2024-04-18 14:31:56 +03:00 · 2024-04-18 11:16:20 +03:00 · 2024-04-18 11:08:23 +03:00 · 2024-04-18 09:29:02 +03:00
7 changed files with 72 additions and 28 deletions
--- a/conf/tmux.conf
+++ b/conf/tmux.conf
@ -44,5 +44,6 @@ set -g escape-time 300
 # Or for tmux >= 2.6
 set -sg escape-time 300
-# Turn the clock red. It's the least bad colour especially at night.
+# Turn the clock yellow. Red would be better at night, but I am used to
-setw -g clock-mode-colour red
+# looking at amber in my terminals and thus yellow is less distracting.
 setw -g clock-mode-colour yellow
--- a/etc/systemd/resolved.conf.d/00-no-local-resolver.conf
+++ b/etc/systemd/resolved.conf.d/00-no-local-resolver.conf
@ -1,4 +1,5 @@
 [Resolve]
 # Use this together with other files other than 00-only-unbound.conf!
 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 #DNSSEC=allow-downgrade
 # Regardless of the above DNS breaking issues when DNSSEC is
--- a/etc/systemd/resolved.conf.d/00-only-local-resolver.conf
+++ b/etc/systemd/resolved.conf.d/00-only-local-resolver.conf
@ -0,0 +1,12 @@
 [Resolve]
 # All this is done by Unbound. Don't use other files together with this one.
 DNSSEC=false
 DNSOverTLS=false
 Cache=false
 DNS=127.0.0.1
 DNS=::1
 Domains=~.
 # .local domains
 MulticastDNS=true
 # Microsoft Windows compatibility?
 LLMNR=true
--- a/etc/systemd/resolved.conf.d/README.md
+++ b/etc/systemd/resolved.conf.d/README.md
@ -26,9 +26,15 @@ sudo systemctl restart systemd-resolved
 ## Files explained
- `00-defaults.conf` - configuration that should be used everywhere.
+- `00-no-local-resolver.conf` - configuration that should be used everywhere.
  Enables DNSSEC (regardless of systemd-resolved not handling it properly),
-  enables opportunistic DoT, caching and local DNS servers.
+  enables opportunistic DoT, caching and local DNS servers (because they
  should exist anyway as I don't trust systemd-resolved entirely. Anyway if
  there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
  - To rephrase, this is sto be used together with other files, especially
    some of those beginning with `dot-`.
 - `00-only-local-resolver.conf` - for when there is known local resolver.
  **_Don't combine this with the other files._**
 - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
  captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
  should be used in addition to `00-defaults.conf`
--- a/etc/systemd/resolved.conf.d/dot-quad9.conf
+++ b/etc/systemd/resolved.conf.d/dot-quad9.conf
@ -1,7 +1,12 @@
 [Resolve]
 # Secure
 #DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
-# ECS
+# No Threat Blocking
 #DNS=2620:fe::10#dns10.quad9.net 149.112.112.10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net 9.9.9.10#dns10.quad9.net
 # Secure + ECS
 DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
 # No Threat Blocking + ECS
 #DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net
 # Uncomment for port 443 resolver
 #DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
 #DNSOverTLS=true
--- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
@ -25,25 +25,34 @@ forward-zone:
 	forward-addr: 193.110.81.0@853#dns0.eu
 	forward-addr: 2a0f:fc81::@853#dns0.eu
 	forward-addr: 185.253.5.0@853#dns0.eu
-	# # Unfiltered
+	## Unfiltered
-	# forward-addr: 193.110.81.254@853#open.dns0.eu
+	#forward-addr: 193.110.81.254@853#open.dns0.eu
-	# forward-addr: 185.253.5.254@853#open.dns0.eu
+	#forward-addr: 185.253.5.254@853#open.dns0.eu
-	# forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
+	#forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
-	# forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
+	#forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
-	# # Heavier filtering
+	## Heavier filtering
-	# forward-addr: 2a0f:fc80::9@853#zero.dns0.eu
+	#forward-addr: 2a0f:fc80::9@853#zero.dns0.eu
-	# forward-addr: 193.110.81.9@853#zero.dns0.eu
+	#forward-addr: 193.110.81.9@853#zero.dns0.eu
-	# forward-addr: 2a0f:fc81::9@853#zero.dns0.eu
+	#forward-addr: 2a0f:fc81::9@853#zero.dns0.eu
-	# forward-addr: 185.253.5.9@853#zero.dns0.eu
+	#forward-addr: 185.253.5.9@853#zero.dns0.eu
 ## Quad9
-	## Default
+	## Secure
-	# forward-addr: 2620:fe::fe@853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@853#dns.quad9.net
-	# forward-addr: 9.9.9.9@853#dns.quad9.net
+	#forward-addr: 9.9.9.9@853#dns.quad9.net
-	# forward-addr: 2620:fe::9@853#dns.quad9.net
+	#forward-addr: 2620:fe::9@853#dns.quad9.net
-	# forward-addr: 149.112.112.112@853#dns.quad9.net
+	#forward-addr: 149.112.112.112@853#dns.quad9.net
-	## ECS
+	## No Threat Blocking
 	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
 	#forward-addr: 149.112.112.10@853#dns10.quad9.net
 	#forward-addr: 2620:fe::10@853#dns10.quad9.net
 	#forward-addr: 9.9.9.10@853#dns10.quad9.net
 	## Secure + ECS
 	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
 	forward-addr: 9.9.9.11@853#dns11.quad9.net
 	forward-addr: 2620:fe::11@853#dns11.quad9.net
 	forward-addr: 149.112.112.11@853#dns11.quad9.net
 	## No Threat Blocking + ECS
 	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
 	#forward-addr: 9.9.9.12@853#dns12.quad9.net
 	#forward-addr: 2620:fe::12@853#dns12.quad9.net
 	#forward-addr: 149.112.112.12@853#dns12.quad9.net
--- a/etc/unbound/unbound.conf.d/dot-quad9.conf
+++ b/etc/unbound/unbound.conf.d/dot-quad9.conf
@ -12,13 +12,23 @@ server:
 forward-zone:
 	name: "."
 	forward-tls-upstream: yes
-	## Default
+	## Secure
-	# forward-addr: 2620:fe::fe@853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@853#dns.quad9.net
-	# forward-addr: 9.9.9.9@853#dns.quad9.net
+	#forward-addr: 9.9.9.9@853#dns.quad9.net
-	# forward-addr: 2620:fe::9@853#dns.quad9.net
+	#forward-addr: 2620:fe::9@853#dns.quad9.net
-	# forward-addr: 149.112.112.112@853#dns.quad9.net
+	#forward-addr: 149.112.112.112@853#dns.quad9.net
-	## ECS
+	## No Threat Blocking
 	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
 	#forward-addr: 149.112.112.10@853#dns10.quad9.net
 	#forward-addr: 2620:fe::10@853#dns10.quad9.net
 	#forward-addr: 9.9.9.10@853#dns10.quad9.net
 	## Secure + ECS
 	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
 	forward-addr: 9.9.9.11@853#dns11.quad9.net
 	forward-addr: 2620:fe::11@853#dns11.quad9.net
 	forward-addr: 149.112.112.11@853#dns11.quad9.net
 	## No Threat Blocking + ECS
 	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
 	#forward-addr: 9.9.9.12@853#dns12.quad9.net
 	#forward-addr: 2620:fe::12@853#dns12.quad9.net
 	#forward-addr: 149.112.112.12@853#dns12.quad9.net
Author	SHA1	Message	Date
Aminda Suomalainen	b248392e8a	systemd-resolved: think more on local resolvers or not	2024-04-18 14:31:56 +03:00
Aminda Suomalainen	4c4508ba36	unbound/dot-*quad9.conf: add DNS10 & DNS12 (commented), remove extra spaces	2024-04-18 11:16:20 +03:00
Aminda Suomalainen	9aa71de638	systemd-resolved/dot-quad9.conf: add commented DNS10 & DNS12	2024-04-18 11:08:23 +03:00
Aminda Suomalainen	855630579d	tmux.conf: turn the clock yellow	2024-04-18 09:29:02 +03:00