From 4ee3713358c01afefe5d42df5fe7f463447a5df4 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sun, 18 Jan 2026 00:04:25 -0600
Subject: privacy(archsetup): add encrypted DNS (DNS over TLS)

- Configure systemd-resolved with DoT using Cloudflare + Quad9
- Enable DNSSEC validation
- Integrate with NetworkManager
- Fix conflict: keep systemd-resolved for DNS, avahi for mDNS
---
 archsetup | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/archsetup b/archsetup
index e3f8d2a..c22334b 100755
--- a/archsetup
+++ b/archsetup
@@ -631,6 +631,32 @@ wifi.cloned-mac-address=random
 ethernet.cloned-mac-address=stable
 EOF
 
+    # Encrypted DNS (DNS over TLS)
+
+    action="configuring encrypted DNS (DNS over TLS)" && display "task" "$action"
+    mkdir -p /etc/systemd/resolved.conf.d
+    cat << 'EOF' > /etc/systemd/resolved.conf.d/dns-over-tls.conf
+[Resolve]
+# Use Cloudflare and Quad9 with DNS-over-TLS
+DNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
+FallbackDNS=1.0.0.1#cloudflare-dns.com 149.112.112.112#dns.quad9.net
+DNSOverTLS=yes
+DNSSEC=yes
+EOF
+
+    # Configure NetworkManager to use systemd-resolved
+    cat << 'EOF' > /etc/NetworkManager/conf.d/dns.conf
+[main]
+dns=systemd-resolved
+EOF
+
+    action="enabling systemd-resolved" && display "task" "$action"
+    systemctl enable systemd-resolved >> "$logfile" 2>&1 || error "error" "$action" "$?"
+
+    # Create resolv.conf symlink to systemd-resolved
+    action="linking resolv.conf to systemd-resolved" && display "task" "$action"
+    ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf >> "$logfile" 2>&1 || error "error" "$action" "$?"
+
     # Power
 
     display "subtitle" "Power"
@@ -728,8 +754,8 @@ EOF
     pacman_install nss-mdns # GNU Name Service Switch host name resolution
     pacman_install avahi # service discovery on a local network using mdns
 
-    action="configuring avahi" && display "task" "$action"
-    systemctl disable systemd-resolved.service >> "$logfile" 2>&1 || error "error" "$action" "$?"
+    action="enabling avahi for mDNS discovery" && display "task" "$action"
+    # Note: systemd-resolved handles DNS (with DoT), avahi handles mDNS (.local)
     systemctl enable avahi-daemon.service >> "$logfile" 2>&1 || error "error" "$action" "$?"
 
     pacman_install geoclue # geolocation service for location-aware apps
-- 
cgit v1.2.3