[Resolve]
# Don't trust upstream to verify DNSSEC, even if was encrypted.
# https://notes.valdikss.org.ru/jabber.ru-mitm/
# BREAKAGE WARNING for everything else than DNSSEC=false !
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
# PRIVACY WARNING! systemd-networkd/links may override this.
# NOTE: Empty variables unset whatever is set before! They are not a mistake.
DNSSEC=true
# Take the risk of downgrade attacks. Web browser policies enforce
# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
# it.
#DNSOverTLS=opportunistic
DNSOverTLS=true
Cache=true
# Consider local DNS servers if they exist.
DNS=
DNS=::1
DNS=127.0.0.1
FallbackDNS=
FallbackDNS=::1
FallbackDNS=127.0.0.1
Domains=~.
# .local domains
MulticastDNS=true
# Microsoft Windows compatibility?
LLMNR=true

# vim: filetype=systemd