etc/hosts/README.md

@@ -1,36 +0,0 @@
-# `/etc/hosts`
-
-This file is DNS before DNS and legacy remain which is still used.
-
-<!-- editorconfig-checker-disable -->
-<!-- prettier-ignore-start -->
-
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
-- [dns](#dns)
-- [`hosts.fedora`](#hostsfedora)
-- [`hosts.debian`](#hostsdebian)
-
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
-<!-- prettier-ignore-end -->
-<!-- editorconfig-checker-enable -->
-
-## dns
-
-This began from question why should I have DNS to have DNS, but having it
-on DNS resolver level broke DNSSEC due to my weird mixing of systemd-resolved
-and Unbound, so now it's something I can attempt to `/etc/hosts`.
-
-**_EXCERCISE CAUTION!_**
-
-## `hosts.fedora`
-
-I am pretty sure this is the `/etc/hosts` that was given me by Fedora < 40
-with changes removed.
-
-## `hosts.debian`
-
-I think this is the Debian format which used to be just `../hosts` in this
-repository.

etc/hosts/dns

@@ -1,84 +0,0 @@
-##### BEGIN DNS RESOLVER LIST #####
-
-# Well known DNS servers to be appended to /etc/hosts
-
-# Quad 9 Secure
-9.9.9.9 dns.quad9.net
-149.112.112.112 dns.quad9.net
-2620:fe::fe dns.quad9.net
-2620:fe::9 dns.quad9.net
-
-# Quad9 No Threat Blocking
-9.9.9.10 dns10.quad9.net
-149.112.112.10 dns10.quad9.net
-2620:fe::10 dns10.quad9.net
-2620:fe::fe:10 dns10.quad9.net
-
-# Quad9 Secure + ECS
-9.9.9.11 dns11.quad9.net
-149.112.112.11 dns11.quad9.net
-2620:fe::11 dns11.quad9.net
-2620:fe::fe:11 dns11.quad9.net
-
-# Quad9 No Threat Blocking + ECS
-9.9.9.12 dns12.quad9.net
-149.112.112.12 dns12.quad9.net
-2620:fe::12 dns12.quad9.net
-2620:fe::fe:12 dns12.quad9.net
-
-# DNS0 default
-193.110.81.0 dns0.eu
-185.253.5.0 dns0.eu
-2a0f:fc80:: dns0.eu
-2a0f:fc81:: dns0.eu
-
-# DNS0 Zero
-193.110.81.9 zero.dns0.eu
-185.253.5.9 zero.dns0.eu
-2a0f:fc80::9 zero.dns0.eu
-2a0f:fc81::9 zero.dns0.eu
-
-# DNS0 Kids
-193.110.81.1 kids.dns0.eu
-185.253.5.1 kids.dns0.eu
-2a0f:fc80::1 kids.dns0.eu
-2a0f:fc81::1 kids.dns0.eu
-
-# DNS0 Open
-193.110.81.254 open.dns0.eu
-185.253.5.254 open.dns0.eu
-2a0f:fc80::ffff open.dns0.eu
-2a0f:fc81::ffff open.dns0.eu
-
-# Cloudflare
-1.1.1.1 cloudflare-dns.com one.one.one.one
-1.0.0.1 cloudflare-dns.com one.one.one.one
-2606:4700:4700::1111 cloudflare-dns.com one.one.one.one
-2606:4700:4700::1001 cloudflare-dns.com one.one.one.one
-
-1.1.1.2 security.cloudflare-dns.com
-1.0.0.2 security.cloudflare-dns.com
-2606:4700:4700::1112 security.cloudflare-dns.com
-2606:4700:4700::1002 security.cloudflare-dns.com
-
-# Mullvad ad, tracker & malware block
-194.242.2.4 base.dns.mullvad.net
-2a07:e340::4 base.dns.mullvad.net
-
-# AdGuard Default
-94.140.14.14 dns.adguard-dns.com
-94.140.15.15 dns.adguard-dns.com
-2a10:50c0::ad1:ff dns.adguard-dns.com
-2a10:50c0::ad2:ff dns.adguard-dns.com
-
-# Google DNS
-8.8.8.8 dns.google dns.google.com
-8.8.4.4 dns.google dns.google.com
-2001:4860:4860::8888 dns.google dns.google.com
-2001:4860:4860::8844 dns.google dns.google.com
-
-# Google DNS64
-2001:4860:4860::6464 dns64.dns.google
-2001:4860:4860::64 dns64.dns.google
-
-##### END DNS RESOLVER LIST #####

etc/hosts/hosts.fedora

@@ -1,7 +0,0 @@
-# Loopback entries; do not change.
-# For historical reasons, localhost precedes localhost.localdomain:
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-# See hosts(5) for proper format and other examples:
-# 192.168.1.10 foo.example.org foo
-# 192.168.1.13 bar.example.org bar

etc/resolv.conf

@@ -12,17 +12,16 @@
 nameserver ::1
 nameserver 127.0.0.1
 
-# systemd-resolved. WARNING: May cause DNS leaks.
+# systemd-resolved
 nameserver 127.0.0.53
 
-# rotate = randomly use all
-# edns0 = extended DNS
-# trust-ad DNSSEC answers
-#options rotate edns0 trust-ad
-options edns0 trust-ad
+# randomly utilize both, extended DNS, trust DNSSEC from both
+options rotate edns0 trust-ad
 
 # no sending local domain to upstream whenever NXDOMAIN happens
 search .
+# Attempt to mDNS everything?
+#search .local
 
 # PS. Remove empty lines and comments if this ends up in /etc/resolv.conf
 # PPS. The traditional spell is:

etc/systemd/network/10-ether.network

@@ -10,8 +10,6 @@ Type=ether
 RequiredForOnline=false
 # Takes "ipv4", "ipv6", "both", or "any" (default).
 RequiredFamilyForOnline=both
-# If something else (like NetworkManager) manages network, uncomment
-#Unmanaged=true
 # Always set administrative state to up. Implies RequiredForOnline=true
 #ActivationPolicy=always-up
 # Required for mDNS
@@ -24,15 +22,16 @@ Address=192.168.0.2/24
 Gateway=192.168.0.1
 IPv6PrivacyExtensions=true
 IPv6LinkLocalAddressGenerationMode=stable-privacy
+# DNS has no effect unless systemd-resolved is used. Why would it be used?
 # systemctl enable systemd-resolved && systemctl start systemd-resolved
 # ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
-DNS=
-DNS=::1
-DNS=127.0.0.1
-DNS=127.0.0.53
-DNSSEC=true
+#DNS=127.0.0.1
+#DNS=::1
+#DNS=8.8.4.4
+#DNSSEC=true
+#DNSSEC=allow-downgrade
+#DNSOverTLS=true
 #DNSOverTLS=opportunistic
-DNSOverTLS=true
 # Search domains
 Domains=.
 # Enable systemd-timesyncd with `timedatectl set-ntp true`, may be specified

etc/systemd/network/10-none.network

@@ -1,20 +0,0 @@
-# Yggdrasil appears as type none
-[Match]
-Type=none
-
-[Link]
-Unmanaged=true
-Multicast=false
-
-[Network]
-IPv6PrivacyExtensions=true
-IPv6LinkLocalAddressGenerationMode=stable-privacy
-Domains=.
-MulticastDNS=false
-LLMNR=false
-DNSSEC=true
-DNSOverTLS=opportunistic
-DNS=
-DNS=::1
-DNS=127.0.0.1
-DNS=127.0.0.53

etc/systemd/network/10-wireguard.network

@@ -1,19 +0,0 @@
-[Match]
-Type=wireguard
-
-[Link]
-Unmanaged=true
-Multicast=false
-
-[Network]
-IPv6PrivacyExtensions=true
-IPv6LinkLocalAddressGenerationMode=stable-privacy
-Domains=.
-MulticastDNS=false
-LLMNR=false
-DNSSEC=true
-DNSOverTLS=opportunistic
-DNS=
-DNS=::1
-DNS=127.0.0.1
-DNS=127.0.0.53

etc/systemd/network/10-wlan.network

@@ -19,17 +19,14 @@ Multicast=true
 DHCP=true
 IPv6PrivacyExtensions=true
 IPv6LinkLocalAddressGenerationMode=stable-privacy
-DNS=
-DNS=::1
-DNS=127.0.0.1
-DNS=127.0.0.53
 # Enable mDNS/.local for systemd-resolved
 MulticastDNS=true
 # Windows
 LLMNR=true
 # systemd-resolved configuration
-DNSSEC=true
+#DNSSEC=true
+#DNSSEC=allow-downgrade
+#DNSOverTLS=true
 #DNSOverTLS=opportunistic
-DNSOverTLS=true
 # Search domains
 Domains=.

etc/systemd/resolved.conf.d/00-defaults.conf

@@ -1,24 +0,0 @@
-[Resolve]
-# Don't trust upstream to verify DNSSEC, even if was encrypted.
-# https://notes.valdikss.org.ru/jabber.ru-mitm/
-# BREAKAGE WARNING for everything else than DNSSEC=false !
-# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
-# PRIVACY WARNING! systemd-networkd/links may override this.
-DNSSEC=true
-# Take the risk of downgrade attacks. Web browser policies enforce
-# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
-# it.
-#DNSOverTLS=opportunistic
-DNSOverTLS=true
-Cache=true
-# Consider local DNS servers if they exist. Empty should erase previous values.
-DNS=
-DNS=127.0.0.1
-DNS=::1
-Domains=~.
-# .local domains
-MulticastDNS=true
-# Microsoft Windows compatibility?
-LLMNR=true
-
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/00-no-local-resolver.conf

@@ -0,0 +1,19 @@
+[Resolve]
+# Use this together with other files other than 00-only-local-resolver.conf!
+# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
+#DNSSEC=allow-downgrade
+# Regardless of the above DNS breaking issues when DNSSEC is
+# enabled/opportunistic, it provides authentication which is important. TLS
+# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
+DNSSEC=true
+DNSOverTLS=opportunistic
+Cache=true
+#DNS=127.0.0.1
+#DNS=::1
+Domains=~.
+# .local domains
+MulticastDNS=true
+# Microsoft Windows compatibility?
+LLMNR=true
+
+# vim: filetype=systemd

etc/systemd/resolved.conf.d/00-only-local-resolver.conf

@@ -0,0 +1,14 @@
+[Resolve]
+# All this is done by Unbound. Don't use other files together with this one.
+DNSSEC=false
+DNSOverTLS=false
+Cache=false
+DNS=127.0.0.1
+DNS=::1
+Domains=~.
+# .local domains
+MulticastDNS=true
+# Microsoft Windows compatibility?
+LLMNR=true
+
+# vim: filetype=systemd

etc/systemd/resolved.conf.d/README.md

@@ -26,15 +26,19 @@ sudo systemctl restart systemd-resolved
 
 ## Files explained
 
-- `00-defaults.conf` - configuration that should be used everywhere.
+- `00-no-local-resolver.conf` - configuration that should be used everywhere.
   Enables DNSSEC (regardless of systemd-resolved not handling it properly),
   enables opportunistic DoT, caching and local DNS servers (because they
   should exist anyway as I don't trust systemd-resolved entirely. Anyway if
   there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
-  - To rephrase, this is to be used together with other files, especially
+  - To rephrase, this is sto be used together with other files, especially
     some of those beginning with `dot-`.
-- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
-  At least one of these should be used in addition to `00-defaults.conf`
+- `00-only-local-resolver.conf` - for when there is known local resolver.
+  **_Don't combine this with the other files._**
+- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
+  captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
+  should be used in addition to `00-defaults.conf`
+- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
 - `README.md` - you are reading it right now.
 
 ## General commentary

etc/systemd/resolved.conf.d/nordvpn.conf

@@ -0,0 +1,5 @@
+[Resolve]
+DNS=2400:bb40:4444::103 2400:bb40:8888::103
+DNS=103.86.96.100 103.86.99.100
+
+# vim: filetype=systemd