privacy(archsetup): add encrypted DNS (DNS over TLS)

- Configure systemd-resolved with DoT using Cloudflare + Quad9 - Enable DNSSEC validation - Integrate with NetworkManager - Fix conflict: keep systemd-resolved for DNS, avahi for mDNS
author: Craig Jennings <c@cjennings.net> 2026-01-18 00:04:25 -0600
committer: Craig Jennings <c@cjennings.net> 2026-01-18 00:04:25 -0600
commit: 4ee3713358c01afefe5d42df5fe7f463447a5df4 (patch)
tree: 42f50de939f6cd904106e0ba8290cd7033e8c724
parent: 07188c195835b385f5b67142ccdd5d54f46986eb (diff)
1 files changed, 28 insertions, 2 deletions
diff --git a/archsetup b/archsetup
index e3f8d2a..c22334b 100755
--- a/archsetup
+++ b/archsetup
@@ -631,6 +631,32 @@ wifi.cloned-mac-address=random
 ethernet.cloned-mac-address=stable
 EOF
 
+    # Encrypted DNS (DNS over TLS)
+
+    action="configuring encrypted DNS (DNS over TLS)" && display "task" "$action"
+    mkdir -p /etc/systemd/resolved.conf.d
+    cat << 'EOF' > /etc/systemd/resolved.conf.d/dns-over-tls.conf
+[Resolve]
+# Use Cloudflare and Quad9 with DNS-over-TLS
+DNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
+FallbackDNS=1.0.0.1#cloudflare-dns.com 149.112.112.112#dns.quad9.net
+DNSOverTLS=yes
+DNSSEC=yes
+EOF
+
+    # Configure NetworkManager to use systemd-resolved
+    cat << 'EOF' > /etc/NetworkManager/conf.d/dns.conf
+[main]
+dns=systemd-resolved
+EOF
+
+    action="enabling systemd-resolved" && display "task" "$action"
+    systemctl enable systemd-resolved >> "$logfile" 2>&1 || error "error" "$action" "$?"
+
+    # Create resolv.conf symlink to systemd-resolved
+    action="linking resolv.conf to systemd-resolved" && display "task" "$action"
+    ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf >> "$logfile" 2>&1 || error "error" "$action" "$?"
+
     # Power
 
     display "subtitle" "Power"
@@ -728,8 +754,8 @@ EOF
     pacman_install nss-mdns # GNU Name Service Switch host name resolution
     pacman_install avahi # service discovery on a local network using mdns
 
-    action="configuring avahi" && display "task" "$action"
-    systemctl disable systemd-resolved.service >> "$logfile" 2>&1 || error "error" "$action" "$?"
+    action="enabling avahi for mDNS discovery" && display "task" "$action"
+    # Note: systemd-resolved handles DNS (with DoT), avahi handles mDNS (.local)
     systemctl enable avahi-daemon.service >> "$logfile" 2>&1 || error "error" "$action" "$?"
 
     pacman_install geoclue # geolocation service for location-aware apps
author	Craig Jennings <c@cjennings.net>	2026-01-18 00:04:25 -0600
committer	Craig Jennings <c@cjennings.net>	2026-01-18 00:04:25 -0600
commit	4ee3713358c01afefe5d42df5fe7f463447a5df4 (patch)
tree	42f50de939f6cd904106e0ba8290cd7033e8c724
parent	07188c195835b385f5b67142ccdd5d54f46986eb (diff)