shell-things/etc/systemd/resolved.conf.d
2024-05-15 20:38:49 +03:00
..
.gitignore systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
00-defaults.conf systemd-resolved: another attempt at local resolvers 2024-04-25 13:45:37 +03:00
05-do53-dna-moi.conf systemd-resolved: add DNA/Moi & Elisa DNS servers 2024-04-28 16:14:30 +03:00
05-do53-elisa.conf systemd-resolved: add DNA/Moi & Elisa DNS servers 2024-04-28 16:14:30 +03:00
10-dot-443.conf systemd/resolved/10-dot-{443,adguard,dns0}.conf: fix server order 2024-05-15 20:33:23 +03:00
10-dot-adguard.conf systemd/resolved/10-dot-{443,adguard,dns0}.conf: fix server order 2024-05-15 20:33:23 +03:00
10-dot-cloudflare.conf systemd-resolved/10-dot-cloudflare.conf: add malicious domain filtering and alternative SNI 2024-05-15 20:38:49 +03:00
10-dot-dns0.conf systemd/resolved/10-dot-{443,adguard,dns0}.conf: fix server order 2024-05-15 20:33:23 +03:00
10-dot-mullvad.conf systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
10-dot-quad9.conf Revert "Stop pretending issues of ECS weight more than pros of it after GApple upgrades delayed my going to bed." 2024-05-14 14:47:09 +03:00
98-local-resolver.conf systemd-resolved/98-local-resolver.conf: fix comment talking about alphabet while everything is now numerals 2024-04-28 09:17:07 +03:00
99-lan-resolver.conf.sample systemd-resolved: add 99-lan-resolver.conf.sample for trusted LANs 2024-04-28 09:13:46 +03:00
README.md systemd/resolved.conf.d/README: note my scripts existing 2024-05-15 20:29:59 +03:00

systemd-resolved additional config files

Quickstart

This is also done by ../../systemd-resolv.conf-restore.bash which takes into account more circumstances…

sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved

…but ../../systemd-resolv.conf-generate.bash is better. Although ../../resolv.conf-generate.bash is the best this repository has to offer.

Files explained

  • 00-defaults.conf - configuration that should be used everywhere. Enables DNSSEC (regardless of systemd-resolved not handling it properly), enables opportunistic DoT, caching and local DNS servers (because they should exist anyway as I dont trust systemd-resolved entirely. Anyway if there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
    • To rephrase, this is to be used together with other files, especially some of those beginning with 10-dot-.
  • 05-do53-dna-moi.conf - DNS servers used by DNA and Moi (who is on DNAs network and owned by them)
  • 05-do53-elisa.conf - DNS servers used by Elisa and apparently their Saunalahti still exists here as well.
  • 10-dot-*.conf - configuration to use the DNS provider with DNS-over-TLS. At least one of these should be used in addition to 00-defaults.conf
  • 98-local-resolver.conf attempts to configure localhost resolver and disables unnecessary features for that scenario. The number 10 takes priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also apply to the former ones that are unlikely to support it. When numbering the files, I didnt think I would be adding the plaintext DNS servers that I am unlikely to use whenever Unbound is available (and I currently have only one system that has systemd-resolved while not having Unbound and it seems to prefer DoT over my router anyway).
  • 99-lan-resolver.conf.sample when renamed would allow enabling resolvers on LAN assuming they are trusted. Note that if used together with 98-local-resolver.conf, DNSSEC would be disabled.
  • README.md - you are reading it right now.

General commentary

  • DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big improvements in v244).
    • TODO: find out when SNI became supported, I have just spotted it in the fine manual in 2020-06-??.
  • Domains has to be .~ for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd without which I wouldnt have got this right.
  • DNSSEC may not work if the system is down for a long time and not updated. Thus allow-downgrade may be better for non-tech people, even with the potential downgrade attack. There are also captive portals, affecting DNSOverTLS. Both take true or false or their own special option, for DNSSEC the allow-downgrade, for DNSOverTLS opportunistic.
    • Then again when was any system that outdated to not have working DNSSEC?
      • TODO: return to this configuration should that actually happen?
      • I am actually running Unbound simultaneously with resolv.conf pointing to both with options rotate edns0 trust-ad which might workaround that potential issue.
  • DNS server priority is the one they are specified in. The first working one will be used when it wont work anymore and then the next is used as long as it works and then its back to the beginning.

Other links I have found important and my files are based on: