diff --git a/pkg/de-p1st-dns/DoT.conf b/pkg/de-p1st-dns/DoT.conf new file mode 100644 index 0000000..6195a83 --- /dev/null +++ b/pkg/de-p1st-dns/DoT.conf @@ -0,0 +1,11 @@ +[Resolve] +DNS=5.9.164.112:853#dns3.digitalcourage.de 46.182.19.48:853#dns2.digitalcourage.de +DNSOverTLS=yes +DNSSEC=yes +FallbackDNS=185.95.218.42:853#dns.digitale-gesellschaft.ch 185.95.218.43:853#dns.digitale-gesellschaft.ch 89.233.43.71:853#unicast.uncensoreddns.org 5.1.66.255:853#dot.ffmuc.net +Domains=~. +Cache=yes +#LLMNR=yes +#MulticastDNS=yes +#DNSStubListener=yes +#ReadEtcHosts=yes diff --git a/pkg/de-p1st-dns/PKGBUILD b/pkg/de-p1st-dns/PKGBUILD new file mode 100644 index 0000000..84f53ce --- /dev/null +++ b/pkg/de-p1st-dns/PKGBUILD @@ -0,0 +1,37 @@ +# Maintainer: Daniel Langbein +_pkgname=dns +_reponame=arch-pkg +pkgname="de-p1st-$_pkgname" +pkgver=0.0.1 +pkgrel=1 +pkgdesc="DNS configuration: Use DNS over TLS" +arch=('any') +url="https://git.privacy1st.de/langfingaz/${_reponame}" +license=('MIT') +groups=() + +# systemd-resolvd +depends=('systemd') +# (optional) replacement for resolvconf +depends+=('systemd-resolvconf') + +makedepends=('git') +optdepends=() +provides=() +conflicts=() # 'openresolv' conflicts with 'systemd-resolvd' +replaces=() +backup=() +options=() +install= +changelog= +source=("git+${url}.git") +noextract=() +sha256sums=('SKIP') + +package() { + cd "${_reponame}/pkg/${pkgname}" + + install -Dm0644 DoT.conf "$pkgdir"/etc/systemd/resolved.conf.d/DoT.conf + install -Dm0644 dns.conf "$pkgdir"/etc/NetworkManager/conf.d/dns.conf + install -Dm0644 systemd.preset "$pkgdir"/usr/lib/systemd/system-preset/"$pkgname".preset +} diff --git a/pkg/de-p1st-dns/README.md b/pkg/de-p1st-dns/README.md new file mode 100644 index 0000000..b157dd2 --- /dev/null +++ b/pkg/de-p1st-dns/README.md @@ -0,0 +1,158 @@ +# DNS + +List of DNS servers + +* kuketz-blog + * https://www.kuketz-blog.de/empfehlungsecke/#dns +* Digitalcourage + * https://digitalcourage.de/support/zensurfreier-dns-server + * DoT, DNSSEC: 5.9.164.112:853#dns3.digitalcourage.de + * DoT, DNSSEC: 46.182.19.48:853#dns2.digitalcourage.de +* Digitale Gesellschaft + * https://www.digitale-gesellschaft.ch/dns/ + * DoT, DNSSEC: 185.95.218.42:853#dns.digitale-gesellschaft.ch + * DoT, DNSSEC: 185.95.218.43:853#dns.digitale-gesellschaft.ch +* UncensoredDNS + * https://blog.uncensoreddns.org/dns-servers/ + * 89.233.43.71:853#unicast.uncensoreddns.org +* https://ffmuc.net/wiki/doku.php?id=knb:dohdot + * 5.1.66.255:853#dot.ffmuc.net + +## Unencrypted DNS - Network Manager Configuration + +* https://wiki.archlinux.org/index.php/NetworkManager#Custom_DNS_servers + +```shell +echo '[global-dns-domain-*] +# servers=serveripaddress1,serveripaddress2,serveripaddress3 +servers=46.182.19.48,2a02:2970:1002::18,91.239.100.100,2001:67c:28a4::,89.233.43.71,2a01:3a0:53:53::' \ +| sudo tee /etc/NetworkManager/conf.d/dns-servers.conf + +sudo systemctl restart NetworkManager +``` + +## Encrypted DNS - systemd-resolved + +* https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS +* https://www.freedesktop.org/software/systemd/man/resolved.conf.html# +* `domains=~.` + * https://unix.stackexchange.com/a/632292 +* https://fedoramagazine.org/use-dns-over-tls/ + +> systemd-resolved provides resolver services +> for Domain Name System (DNS) (including DNSSEC +> and DNS over TLS), Multicast DNS (mDNS) and +> Link-Local Multicast Name Resolution (LLMNR) + +Installation: + +```shell +# already preinstalled, contains systemd-resolved +sudo pacman -S --needed systemd + +# remove openresolv! It is in conflict with systemd-resolvd +sudo pacman -Rns openresolv + +# optional: install resolvconf replacement (for use with systemd-resolved) +sudo pacman -S --needed systemd-resolvconf +``` + +Resolver configuration: + +```shell +sudo mkdir -p /etc/systemd/resolved.conf.d + +echo \ +'[Resolve] +DNS=5.9.164.112:853#dns3.digitalcourage.de 46.182.19.48:853#dns2.digitalcourage.de +DNSOverTLS=yes +DNSSEC=yes +FallbackDNS=185.95.218.42:853#dns.digitale-gesellschaft.ch 185.95.218.43:853#dns.digitale-gesellschaft.ch 89.233.43.71:853#unicast.uncensoreddns.org 5.1.66.255:853#dot.ffmuc.net +Domains=~. +Cache=yes +#LLMNR=yes +#MulticastDNS=yes +#DNSStubListener=yes +#ReadEtcHosts=yes' \ +| sudo tee /etc/systemd/resolved.conf.d/DoT.conf >/dev/null +``` + +NetworkManager -> use systemd-resolved: + +- There are multiple alternatives to do this +- From man page https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html: + If resolv.conf is symlink (see symlink + line below), then NetworkManager wil automatically use + resolvd. This is the nicest method. + - https://wiki.archlinux.org/index.php/Systemd-resolved#DNS +- Alternative: Add "[main] dns=systemd-resolved" + to /etc/NetworkManager/conf.d/dns.conf + - https://wiki.archlinux.org/index.php/NetworkManager#systemd-resolved + +```shell +# resolv.conf generated by NetworkManager +sudo systemctl stop NetworkManager +if [ ! -f /etc/resolv.conf.backup ]; then sudo mv /etc/resolv.conf /etc/resolv.conf.backup; fi +sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +``` + +Enabling systemd-resolvd: + +```shell +sudo systemctl enable --now systemd-resolved.service +``` + +Restarting NetworkManager: + +```shell +sudo systemctl restart NetworkManager +``` + +After some seconds, `resolv.conf` should just contain `nameserver 127.0.0.53` + +```shell +cat /etc/resolv.conf +``` + +See also: `resolvectl status` + + +## Verification of unencrypted DNS + +```shell +sudo pacman -S --needed ngrep + +sudo ngrep port 53 +``` + +The destination IP addresses should be one of the configured dns servers: + +``` +yoda@yodaTux ~ % sudo ngrep port 53 +interface: wlp1s0 (192.168.178.0/255.255.255.0) +filter: ( port 53 ) and ((ip || ip6) || (vlan && (ip || ip6))) +# +U 192.168.178.71:60481 -> 46.182.19.48:53 #1 + <............wiki.archlinux.org..... +``` + +## Verification of unencrypted DNS + +```shell +sudo pacman -S --needed ngrep + +# output should be empty +sudo ngrep port 53 + +# configured DoT addresses should be visible +sudo ngrep port 853 +``` + +``` +yoda@yodaTux ~ % sudo ngrep port 853 +[...] +# +T 192.168.178.71:48350 -> 5.9.164.112:853 [AP] #274 + ....P.G.B.(...%/. e"..A".w.>.h..a.../...<.3b. + ^.d......'bj...w.qU.... ....90..4.LL.=.& +``` diff --git a/pkg/de-p1st-dns/dns.conf b/pkg/de-p1st-dns/dns.conf new file mode 100644 index 0000000..c81a643 --- /dev/null +++ b/pkg/de-p1st-dns/dns.conf @@ -0,0 +1,2 @@ +[main] +dns=systemd-resolved diff --git a/pkg/de-p1st-dns/systemd.preset b/pkg/de-p1st-dns/systemd.preset new file mode 100644 index 0000000..cbea168 --- /dev/null +++ b/pkg/de-p1st-dns/systemd.preset @@ -0,0 +1 @@ +enable systemd-resolved.service \ No newline at end of file