# Don't do this, just run this instead:
#     sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

# Problem: unbound is slow to start and everything complains of failing DNS,
# and systemd-resolved often gets itself stuck with DNSSEC.
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
# Solution that I dislike: use both unbound & systemd-resolved! When one
# breaks, maybe the other still works! Funnily /etc/resolv.conf is still
# restricted to three nameservers.

# unbound
nameserver ::1
nameserver 127.0.0.1

# systemd-resolved. WARNING: May cause DNS leaks.
nameserver 127.0.0.53

# rotate = randomly use all
# edns0 = extended DNS
# trust-ad = trust DNSSEC authenticated data
# timeout:1 = nameserver timeout 1 s (default 5, max 30), then next
# attempts:5 = try the nameserver 5 times, then next (default 2, max 5)
#options rotate edns0 trust-ad
options edns0 trust-ad timeout:1 attempts:5

# no sending local domain to upstream whenever NXDOMAIN happens
search .

# PS. Remove empty lines and comments if this ends up in /etc/resolv.conf
# PPS. The traditional spell is:
#    sudo chattr -i /etc/resolv.conf;sudo nvim /etc/resolv.conf;sudo chattr +i /etc/resolv.conf