diff options
| author | Craig Jennings <c@cjennings.net> | 2026-01-18 00:04:25 -0600 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-01-18 00:04:25 -0600 |
| commit | 4ee3713358c01afefe5d42df5fe7f463447a5df4 (patch) | |
| tree | 42f50de939f6cd904106e0ba8290cd7033e8c724 /archsetup | |
| parent | 07188c195835b385f5b67142ccdd5d54f46986eb (diff) | |
privacy(archsetup): add encrypted DNS (DNS over TLS)
- Configure systemd-resolved with DoT using Cloudflare + Quad9
- Enable DNSSEC validation
- Integrate with NetworkManager
- Fix conflict: keep systemd-resolved for DNS, avahi for mDNS
Diffstat (limited to 'archsetup')
| -rwxr-xr-x | archsetup | 30 |
1 files changed, 28 insertions, 2 deletions
@@ -631,6 +631,32 @@ wifi.cloned-mac-address=random ethernet.cloned-mac-address=stable EOF + # Encrypted DNS (DNS over TLS) + + action="configuring encrypted DNS (DNS over TLS)" && display "task" "$action" + mkdir -p /etc/systemd/resolved.conf.d + cat << 'EOF' > /etc/systemd/resolved.conf.d/dns-over-tls.conf +[Resolve] +# Use Cloudflare and Quad9 with DNS-over-TLS +DNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net +FallbackDNS=1.0.0.1#cloudflare-dns.com 149.112.112.112#dns.quad9.net +DNSOverTLS=yes +DNSSEC=yes +EOF + + # Configure NetworkManager to use systemd-resolved + cat << 'EOF' > /etc/NetworkManager/conf.d/dns.conf +[main] +dns=systemd-resolved +EOF + + action="enabling systemd-resolved" && display "task" "$action" + systemctl enable systemd-resolved >> "$logfile" 2>&1 || error "error" "$action" "$?" + + # Create resolv.conf symlink to systemd-resolved + action="linking resolv.conf to systemd-resolved" && display "task" "$action" + ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf >> "$logfile" 2>&1 || error "error" "$action" "$?" + # Power display "subtitle" "Power" @@ -728,8 +754,8 @@ EOF pacman_install nss-mdns # GNU Name Service Switch host name resolution pacman_install avahi # service discovery on a local network using mdns - action="configuring avahi" && display "task" "$action" - systemctl disable systemd-resolved.service >> "$logfile" 2>&1 || error "error" "$action" "$?" + action="enabling avahi for mDNS discovery" && display "task" "$action" + # Note: systemd-resolved handles DNS (with DoT), avahi handles mDNS (.local) systemctl enable avahi-daemon.service >> "$logfile" 2>&1 || error "error" "$action" "$?" pacman_install geoclue # geolocation service for location-aware apps |