You are not logged in.

Pages: 1

#1 2024-12-01 18:02:48

archuser_9999
Member
Registered: 2019-08-17
Posts: 90

[SOLVED] Why is my eth0 link not using the global protocols via stub?

So, having read through everything I can find on the Wiki regarding network configuration, I'm still stumped. I'm sure I'm simply missing some obvious step, or need to make a simple config change somewhere... but cannot currently see it.

Easiest way to explain where I'm at is perhaps this 

$  resolvectl status
Global
           Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub
  Current DNS Server: 185.222.222.222#dns.sb
         DNS Servers: 185.222.222.222#dns.sb 185.222.222.222 2a09::
Fallback DNS Servers: 45.11.45.11 2a11::
          DNS Domain: ~.

Link 2 (enp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/supported
Current DNS Server: 192.168.1.1
       DNS Servers: 192.168.1.1 2a01:cb19:816a:2500:aed7:5bff:fe26:3080
        DNS Domain: ~.

So, as far as I understand, what I have successfully done is to start the appropriate systemd network services,  configure the resolver to use a stub, and set a custom DNS server (DNS.SB) and add their own DNS_over_TLS servers. These all show up in the "global" protocols above.

My computer has an ethernet port only. It is wired to a shared modem/router thus I'm not really able to do anything like turn off DNS advertising in that because it is used by others. But, the settings above for my single wired connection show that the DNS used by my connection is still that supplied by my ISP. I specifically don't want this because they block a website I sometimes read.

Question is then: what is the simplest way to have my wired connection use the global protocols that I've set? I did do this

/etc/systemd/network/20-wired.network

[Match]
Name=enp1s0

[Link]
RequiredForOnline=routable

[Network]
DHCP=yes
DNSOverTLS=opportunistic
DNSSEC=allow-downgrade
DNS=[2a09::]%enp1s0#dns.sb
Domains=~.

but it changes nothing, despite I may have not set the DNS server address here correctly (the Wiki would benefit from being much more explicit here). However this feels like redundancy.

Should I disable DHCP compeletly and set a static IP? Would that change anything? Having read the order in which configuration files are applied, I've created .conf files in /etc/systemd/resolved.conf.d/ but again, these are not picked up by my ethernet card. Or do I in fact simply need to edit settings in /etc/systemd/networkd.conf and set all these values there?

Last edited by archuser_9999 (2024-12-02 07:21:10)

Offline

#2 2024-12-01 20:40:12

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Why is my eth0 link not using the global protocols via stub?

I think the "error" lies within specifying "~." trice - it should be only once (inside the stub).

Try this:

# /etc/systemd/resolved.conf

[Resolve]
DNS=185.222.222.222#dot.sb 2a09::#dot.sb 45.11.45.11#dot.sb 2a11::#dot.sb
FallbackDNS=
DNSOverTLS=yes

and

# /etc/systemd/network/20-wired.network

[Match]
Name=enp1s0

[Link]
RequiredForOnline=routable

[Network]
DHCP=yes
DNSOverTLS=opportunistic
DNSSEC=allow-downgrade

Last edited by -thc (2024-12-01 20:40:38)

Offline

#3 2024-12-02 07:20:20

archuser_9999
Member
Registered: 2019-08-17
Posts: 90

Re: [SOLVED] Why is my eth0 link not using the global protocols via stub?

Thank you, but I think I solved it when reading through the docs for about the twentieth time.

I removed all the .configs from /etc/systemd/resolve.conf.d/* and instead added

[Match]
Name=enp1s0

[Link]
RequiredForOnline=routable

[Network]
DHCP=no
Address=192.168.1.10/24
Gateway=192.168.1.1
DNS=185.222.222.222 45.11.45.11 2a09:: 2a11::
IPv6PrivacyExtensions=prefer-public

[DHCPv4]
UseDNS=false

and now it works as expected smile

I also removed ~. from domains

Offline

#4 2024-12-02 07:34:46

-thc
Member
Registered: 2017-03-15
Posts: 852

Re: [SOLVED] Why is my eth0 link not using the global protocols via stub?

Yeah - that's the other way you can solve this - by moving the intended configuration from the global to the link level.

Just three remarks for all readers:

- The principal method to "supersede" per-link DNS servers with the ones in the global configuration works
- The DoT certificates of this service have a lot of "X509v3 Subject Alternative Name" attribute values with all kinds of alternative names ("dot.sb", "dns.sb")
- systemd-networkd also accepts SNI specification for DoT via "DNS=185.222.222.222#dot.sb ..."

Last edited by -thc (2024-12-02 13:29:51)

Offline

Pages: 1

Board footer

Powered by FluxBB