From 18851473c20f7580742a8f116ca374e0d2b069a7 Mon Sep 17 00:00:00 2001
From: z3rOR0ne <z3rOR0ne@protonmail.com>
Date: Mon, 23 Jun 2025 06:17:17 -0700
Subject: [PATCH] :memo: Made note of custom dns resolver

---
 install_basics_security_artix.txt | 29 +++++++++++++++++++++++++++++
 updates.txt                       | 30 ++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/install_basics_security_artix.txt b/install_basics_security_artix.txt
index 8fbe54f6..16aec037 100644
--- a/install_basics_security_artix.txt
+++ b/install_basics_security_artix.txt
@@ -44,3 +44,32 @@ Now load simple defaults:
 doas apparmor_parser /usr/share/apparmor/extra-profiles/
 
 And reboot again, you should have some sane security defaults now.
+
+Setup Device Level DNS Resolver:
+
+Install stubby:
+doas pacman -S stubby stubby-runit
+doas ln -s /etc/runit/sv/stubby /run/runit/service/
+
+Adjust stubby init script to:
+exec chpst -U stubby stubby
+
+Adjust stubby config file:
+doas nvim /etc/stubby/stubby.yml
+Comment out all DEFAULT UPSTREAM and add Mullvad upstream_recursive_servers:
+- address_data: 194.242.2.4
+  tls_auth_name: "base.dns.mullvad.net"
+- address_data: 2a07:e340::4
+  tls_auth_name: "base.dns.mullvad.net"
+Be aware of yaml's needs for proper indentation (copy and paste from DEFAULT UPSTREAM to be sure)
+
+Edit /etc/resolv.conf to have the following:
+nameserver ::1
+nameserver 127.0.0.1
+options trust-ad
+
+And make resolv.conf immutable:
+doas chattr +i /etc/resolv.conf
+
+Start stubby and test, visit (with browser with no DNS on):
+https://mullvad.net/en/check
diff --git a/updates.txt b/updates.txt
index 82afad28..b85c384d 100755
--- a/updates.txt
+++ b/updates.txt
@@ -788,3 +788,33 @@ Reinstall eza until Artix package is fixed:
 doas pacman -Rs eza && cargo install eza --force --features vendored-libgit2
 Install transmission-cli
 doas pacman -S transmission-cli
+
+06/23/2025
+Setup Device Level DNS Resolver:
+
+Install stubby:
+doas pacman -S stubby stubby-runit
+doas ln -s /etc/runit/sv/stubby /run/runit/service/
+
+Adjust stubby init script to:
+exec chpst -U stubby stubby
+
+Adjust stubby config file:
+doas nvim /etc/stubby/stubby.yml
+Comment out all DEFAULT UPSTREAM and add Mullvad upstream_recursive_servers:
+- address_data: 194.242.2.4
+  tls_auth_name: "base.dns.mullvad.net"
+- address_data: 2a07:e340::4
+  tls_auth_name: "base.dns.mullvad.net"
+Be aware of yaml's needs for proper indentation (copy and paste from DEFAULT UPSTREAM to be sure)
+
+Edit /etc/resolv.conf to have the following:
+nameserver ::1
+nameserver 127.0.0.1
+options trust-ad
+
+And make resolv.conf immutable:
+doas chattr +i /etc/resolv.conf
+
+Start stubby and test, visit (with browser with no DNS on):
+https://mullvad.net/en/check