Mikaela
/
shell-things
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
shell-things/etc/systemd/resolved.conf.d
History
Aminda Suomalainen 3009af55a6
resolved.conf.d/README.md: mention 00-defaults and dot-something being supposed to be used together 		2024-04-10 15:09:31 +03:00
..
00-defaults.conf systemd-resolved: further decrease repeating, comment DNS-Over-TLS since it's in 00-defaults.conf already (+ local resolver) 2024-04-10 15:06:14 +03:00
README.md resolved.conf.d/README.md: mention 00-defaults and dot-something being supposed to be used together 2024-04-10 15:09:31 +03:00
dot-adguard.conf systemd-resolved: further decrease repeating, comment DNS-Over-TLS since it's in 00-defaults.conf already (+ local resolver) 2024-04-10 15:06:14 +03:00
dot-cloudflare.conf systemd-resolved: further decrease repeating, comment DNS-Over-TLS since it's in 00-defaults.conf already (+ local resolver) 2024-04-10 15:06:14 +03:00
dot-dns0.conf systemd-resolved: further decrease repeating, comment DNS-Over-TLS since it's in 00-defaults.conf already (+ local resolver) 2024-04-10 15:06:14 +03:00
dot-mullvad.conf systemd-resolved: further decrease repeating, comment DNS-Over-TLS since it's in 00-defaults.conf already (+ local resolver) 2024-04-10 15:06:14 +03:00
dot-quad9.conf systemd-resolved: further decrease repeating, comment DNS-Over-TLS since it's in 00-defaults.conf already (+ local resolver) 2024-04-10 15:06:14 +03:00
nordvpn.conf systemd-resolved: further decrease repeating, comment DNS-Over-TLS since it's in 00-defaults.conf already (+ local resolver) 2024-04-10 15:06:14 +03:00

README.md

systemd-resolved additional config files

Quickstart

sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved

Files explained

  • 00-defaults.conf - configuration that should be used everywhere. Enables DNSSEC (regardless of systemd-resolved not handling it properly), enables opportunistic DoT, caching and local DNS servers.
  • dot-*.conf - configuration to use the DNS provider with DNS-over-TLS. If captive portals are a concern, DNSOverTLS=no. At least one of these should be used in addition to 00-defaults.conf
  • README.md - you are reading it right now.

General commentary

  • Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however at the time of writing this README.md, the current version is Ubuntu 20.04.0) (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in v243 (big improvements in v244).
    • TODO: find out when SNI became supported, I have just spotted it in the fine manual in 2020-06-??.
  • Domains has to be .~ for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd without which I wouldnt have got this right.
  • DNSSEC may not work if the system is down for a long time and not updated. Thus allow-downgrade may be better for non-tech people, even with the potential downgrade attack. There are also captive portals, affecting DNSOverTLS. Both take yes or no or their own special option, for DNNSEC the allow-downgrade, for DNSOverTLS opportunistic.
    • Then again when was any system that outdated to not have working DNSSEC?
      • TODO: return to this configuration should that actually happen?

Other links I have found important and my files are based on: