add DNS

pkg/de-p1st-dns/DoT.conf

@@ -0,0 +1,11 @@
+[Resolve]
+DNS=5.9.164.112:853#dns3.digitalcourage.de 46.182.19.48:853#dns2.digitalcourage.de
+DNSOverTLS=yes
+DNSSEC=yes
+FallbackDNS=185.95.218.42:853#dns.digitale-gesellschaft.ch 185.95.218.43:853#dns.digitale-gesellschaft.ch 89.233.43.71:853#unicast.uncensoreddns.org 5.1.66.255:853#dot.ffmuc.net
+Domains=~.
+Cache=yes
+#LLMNR=yes
+#MulticastDNS=yes
+#DNSStubListener=yes
+#ReadEtcHosts=yes

pkg/de-p1st-dns/PKGBUILD

@@ -0,0 +1,37 @@
+# Maintainer: Daniel Langbein <daniel@systemli.org>
+_pkgname=dns
+_reponame=arch-pkg
+pkgname="de-p1st-$_pkgname"
+pkgver=0.0.1
+pkgrel=1
+pkgdesc="DNS configuration: Use DNS over TLS"
+arch=('any')
+url="https://git.privacy1st.de/langfingaz/${_reponame}"
+license=('MIT')
+groups=()
+
+# systemd-resolvd
+depends=('systemd')
+# (optional) replacement for resolvconf
+depends+=('systemd-resolvconf')
+
+makedepends=('git')
+optdepends=()
+provides=()
+conflicts=() # 'openresolv' conflicts with 'systemd-resolvd'
+replaces=()
+backup=()
+options=()
+install=
+changelog=
+source=("git+${url}.git")
+noextract=()
+sha256sums=('SKIP')
+
+package() {
+  cd "${_reponame}/pkg/${pkgname}"
+
+  install -Dm0644 DoT.conf       "$pkgdir"/etc/systemd/resolved.conf.d/DoT.conf
+  install -Dm0644 dns.conf       "$pkgdir"/etc/NetworkManager/conf.d/dns.conf
+  install -Dm0644 systemd.preset "$pkgdir"/usr/lib/systemd/system-preset/"$pkgname".preset
+}

pkg/de-p1st-dns/README.md

@@ -0,0 +1,158 @@
+# DNS
+
+List of DNS servers
+
+* kuketz-blog
+  * https://www.kuketz-blog.de/empfehlungsecke/#dns
+* Digitalcourage
+  * https://digitalcourage.de/support/zensurfreier-dns-server
+  * DoT, DNSSEC: 5.9.164.112:853#dns3.digitalcourage.de
+  * DoT, DNSSEC: 46.182.19.48:853#dns2.digitalcourage.de
+* Digitale Gesellschaft
+  * https://www.digitale-gesellschaft.ch/dns/
+  * DoT, DNSSEC: 185.95.218.42:853#dns.digitale-gesellschaft.ch
+  * DoT, DNSSEC: 185.95.218.43:853#dns.digitale-gesellschaft.ch
+* UncensoredDNS
+  * https://blog.uncensoreddns.org/dns-servers/
+  * 89.233.43.71:853#unicast.uncensoreddns.org
+* https://ffmuc.net/wiki/doku.php?id=knb:dohdot
+  * 5.1.66.255:853#dot.ffmuc.net
+
+## Unencrypted DNS - Network Manager Configuration
+
+* https://wiki.archlinux.org/index.php/NetworkManager#Custom_DNS_servers
+
+```shell
+echo '[global-dns-domain-*]
+# servers=serveripaddress1,serveripaddress2,serveripaddress3
+servers=46.182.19.48,2a02:2970:1002::18,91.239.100.100,2001:67c:28a4::,89.233.43.71,2a01:3a0:53:53::' \
+| sudo tee /etc/NetworkManager/conf.d/dns-servers.conf
+
+sudo systemctl restart NetworkManager
+```
+
+## Encrypted DNS - systemd-resolved
+
+* https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS
+* https://www.freedesktop.org/software/systemd/man/resolved.conf.html#  
+* `domains=~.`
+    * https://unix.stackexchange.com/a/632292
+* https://fedoramagazine.org/use-dns-over-tls/  
+
+> systemd-resolved provides resolver services
+> for Domain Name System (DNS) (including DNSSEC
+> and DNS over TLS), Multicast DNS (mDNS) and
+> Link-Local Multicast Name Resolution (LLMNR)
+
+Installation:
+
+```shell
+# already preinstalled, contains systemd-resolved
+sudo pacman -S --needed systemd
+
+# remove openresolv! It is in conflict with systemd-resolvd
+sudo pacman -Rns openresolv
+
+# optional: install resolvconf replacement (for use with systemd-resolved)
+sudo pacman -S --needed systemd-resolvconf
+```
+
+Resolver configuration:
+
+```shell
+sudo mkdir -p /etc/systemd/resolved.conf.d
+
+echo \
+'[Resolve]
+DNS=5.9.164.112:853#dns3.digitalcourage.de 46.182.19.48:853#dns2.digitalcourage.de
+DNSOverTLS=yes
+DNSSEC=yes
+FallbackDNS=185.95.218.42:853#dns.digitale-gesellschaft.ch 185.95.218.43:853#dns.digitale-gesellschaft.ch 89.233.43.71:853#unicast.uncensoreddns.org 5.1.66.255:853#dot.ffmuc.net
+Domains=~.
+Cache=yes
+#LLMNR=yes
+#MulticastDNS=yes
+#DNSStubListener=yes
+#ReadEtcHosts=yes' \
+| sudo tee /etc/systemd/resolved.conf.d/DoT.conf >/dev/null
+```
+
+NetworkManager -> use systemd-resolved:
+
+- There are multiple alternatives to do this
+- From man page https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html:
+  If resolv.conf is symlink (see symlink
+  line below), then NetworkManager wil automatically use
+  resolvd. This is the nicest method.
+    - https://wiki.archlinux.org/index.php/Systemd-resolved#DNS
+- Alternative: Add "[main] <newLine> dns=systemd-resolved"
+  to /etc/NetworkManager/conf.d/dns.conf
+    - https://wiki.archlinux.org/index.php/NetworkManager#systemd-resolved
+
+```shell
+# resolv.conf generated by NetworkManager
+sudo systemctl stop NetworkManager
+if [ ! -f /etc/resolv.conf.backup ]; then sudo mv /etc/resolv.conf /etc/resolv.conf.backup; fi 
+sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+```
+
+Enabling systemd-resolvd:
+
+```shell
+sudo systemctl enable --now systemd-resolved.service
+```
+
+Restarting NetworkManager:
+
+```shell
+sudo systemctl restart NetworkManager
+```
+
+After some seconds, `resolv.conf` should just contain `nameserver 127.0.0.53`
+
+```shell
+cat /etc/resolv.conf
+```
+
+See also: `resolvectl status`
+
+
+## Verification of unencrypted DNS
+
+```shell
+sudo pacman -S --needed ngrep
+
+sudo ngrep port 53
+```
+
+The destination IP addresses should be one of the configured dns servers:
+
+```
+yoda@yodaTux ~ % sudo ngrep port 53
+interface: wlp1s0 (192.168.178.0/255.255.255.0)
+filter: ( port 53 ) and ((ip || ip6) || (vlan && (ip || ip6)))
+#
+U 192.168.178.71:60481 -> 46.182.19.48:53 #1
+  <............wiki.archlinux.org..... 
+```
+
+## Verification of unencrypted DNS
+
+```shell
+sudo pacman -S --needed ngrep
+
+# output should be empty
+sudo ngrep port 53
+
+# configured DoT addresses should be visible
+sudo ngrep port 853
+```
+
+```
+yoda@yodaTux ~ % sudo ngrep port 853
+[...]
+#
+T 192.168.178.71:48350 -> 5.9.164.112:853 [AP] #274
+  ....P.G.B.(...%/. e"..A".w.>.h..a.../...<.3b.
+  ^.d......'bj...w.qU.... ....90..4.LL.=.&
+```

pkg/de-p1st-dns/dns.conf

@@ -0,0 +1,2 @@
+[main]
+dns=systemd-resolved

pkg/de-p1st-dns/systemd.preset

@@ -0,0 +1 @@
+enable systemd-resolved.service