mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-11-20 01:59:22 +01:00
.. | ||
00-no-local-resolver.conf | ||
00-only-local-resolver.conf | ||
dot-adguard.conf | ||
dot-cloudflare.conf | ||
dot-dns0.conf | ||
dot-mullvad.conf | ||
dot-quad9.conf | ||
nordvpn.conf | ||
README.md |
systemd-resolved additional config files
Quickstart
sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved
Files explained
00-no-local-resolver.conf
- configuration that should be used everywhere. Enables DNSSEC (regardless of systemd-resolved not handling it properly), enables opportunistic DoT, caching and local DNS servers (because they should exist anyway as I don’t trust systemd-resolved entirely. Anyway if there truly is no local resolver, systemd-resolved will detect that and act accordingly.)- To rephrase, this is sto be used together with other files,
especially some of those beginning with
dot-
.
- To rephrase, this is sto be used together with other files,
especially some of those beginning with
00-only-local-resolver.conf
- for when there is known local resolver. Don’t combine this with the other files.dot-*.conf
- configuration to use the DNS provider with DNS-over-TLS. If captive portals are a concern,DNSOverTLS=opportunistic
. At least one of these should be used in addition to00-defaults.conf
nordvpn.conf
- includes NordVPN’s resolver addresses for hosts using itREADME.md
- you are reading it right now.
General commentary
- DNSOverTLS became supported in systemd v239, strict mode (true) in
v243 (big improvements in v244).
- TODO: find out when SNI became supported, I have just spotted it in the fine manual in 2020-06-??.
- Domains has to be
.~
for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd without which I wouldn’t have got this right. - DNSSEC may not work if the system is down for a long time and not
updated. Thus
allow-downgrade
may be better for non-tech people, even with the potential downgrade attack. There are also captive portals, affectingDNSOverTLS
. Both taketrue
orfalse
or their own special option, for DNSSEC theallow-downgrade
, for DNSOverTLSopportunistic
.- Then again when was any system that outdated to not have working
DNSSEC?
- TODO: return to this configuration should that actually happen?
- I am actually running Unbound simultaneously with
resolv.conf
pointing to both withoptions rotate edns0 trust-ad
which might workaround that potential issue.
- Then again when was any system that outdated to not have working
DNSSEC?
Other links I have found important and my files are based on:
- https://wiki.archlinux.org/index.php/Systemd-resolved
- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
- request for strict DoT: https://github.com/systemd/systemd/issues/10755
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397