shell-things/etc/systemd/resolved.conf.d
2024-05-03 18:07:51 +03:00
..
.gitignore systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
00-defaults.conf systemd-resolved: another attempt at local resolvers 2024-04-25 13:45:37 +03:00
05-do53-dna-moi.conf systemd-resolved: add DNA/Moi & Elisa DNS servers 2024-04-28 16:14:30 +03:00
05-do53-elisa.conf systemd-resolved: add DNA/Moi & Elisa DNS servers 2024-04-28 16:14:30 +03:00
10-dot-443.conf systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
10-dot-adguard.conf systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
10-dot-cloudflare.conf systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
10-dot-dns0.conf systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
10-dot-mullvad.conf systemd-resolved: rename conf files to have a number prefix 2024-04-28 09:13:20 +03:00
10-dot-quad9.conf systemd-resolved & unbound: comment ECS servers again. 2024-05-03 18:07:51 +03:00
98-local-resolver.conf systemd-resolved/98-local-resolver.conf: fix comment talking about alphabet while everything is now numerals 2024-04-28 09:17:07 +03:00
99-lan-resolver.conf.sample systemd-resolved: add 99-lan-resolver.conf.sample for trusted LANs 2024-04-28 09:13:46 +03:00
README.md systemd-resolved: add DNA/Moi & Elisa DNS servers 2024-04-28 16:14:30 +03:00

systemd-resolved additional config files

Quickstart

sudo systemctl enable --now systemd-resolved.service
sudo ln -rsf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
# After changing configuration
sudo systemctl restart systemd-resolved

Files explained

  • 00-defaults.conf - configuration that should be used everywhere. Enables DNSSEC (regardless of systemd-resolved not handling it properly), enables opportunistic DoT, caching and local DNS servers (because they should exist anyway as I dont trust systemd-resolved entirely. Anyway if there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
    • To rephrase, this is to be used together with other files, especially some of those beginning with 10-dot-.
  • 05-do53-dna-moi.conf - DNS servers used by DNA and Moi (who is on DNAs network and owned by them)
  • 05-do53-elisa.conf - DNS servers used by Elisa and apparently their Saunalahti still exists here as well.
  • 10-dot-*.conf - configuration to use the DNS provider with DNS-over-TLS. At least one of these should be used in addition to 00-defaults.conf
  • 98-local-resolver.conf attempts to configure localhost resolver and disables unnecessary features for that scenario. The number 10 takes priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also apply to the former ones that are unlikely to support it. When numbering the files, I didnt think I would be adding the plaintext DNS servers that I am unlikely to use whenever Unbound is available (and I currently have only one system that has systemd-resolved while not having Unbound and it seems to prefer DoT over my router anyway).
  • 99-lan-resolver.conf.sample when renamed would allow enabling resolvers on LAN assuming they are trusted. Note that if used together with 98-local-resolver.conf, DNSSEC would be disabled.
  • README.md - you are reading it right now.

General commentary

  • DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big improvements in v244).
    • TODO: find out when SNI became supported, I have just spotted it in the fine manual in 2020-06-??.
  • Domains has to be .~ for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd without which I wouldnt have got this right.
  • DNSSEC may not work if the system is down for a long time and not updated. Thus allow-downgrade may be better for non-tech people, even with the potential downgrade attack. There are also captive portals, affecting DNSOverTLS. Both take true or false or their own special option, for DNSSEC the allow-downgrade, for DNSOverTLS opportunistic.
    • Then again when was any system that outdated to not have working DNSSEC?
      • TODO: return to this configuration should that actually happen?
      • I am actually running Unbound simultaneously with resolv.conf pointing to both with options rotate edns0 trust-ad which might workaround that potential issue.

Other links I have found important and my files are based on: