From 96048d807ae213986eb6b88a1b1bba17cb34f8dc Mon Sep 17 00:00:00 2001 From: z3rOR0ne Date: Mon, 23 Jun 2025 07:17:03 -0700 Subject: [PATCH] :memo: Adjusted dns resolver notes --- install_basics_security_artix.txt | 25 ++++++++++++++++++++++--- updates.txt | 25 ++++++++++++++++++++++--- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/install_basics_security_artix.txt b/install_basics_security_artix.txt index 16aec037..8c0d9d53 100644 --- a/install_basics_security_artix.txt +++ b/install_basics_security_artix.txt @@ -47,15 +47,20 @@ And reboot again, you should have some sane security defaults now. Setup Device Level DNS Resolver: -Install stubby: -doas pacman -S stubby stubby-runit +Install stubby and dnsmasq-runit: +doas pacman -S stubby stubby-runit dnsmasq-runit doas ln -s /etc/runit/sv/stubby /run/runit/service/ +doas ln -s /etc/runit/sv/dnsmasq/ /run/runit/service/ Adjust stubby init script to: exec chpst -U stubby stubby Adjust stubby config file: doas nvim /etc/stubby/stubby.yml +Adjust the listen_addresses field: +listen_addresses: + - 127.0.0.1@54 + - 0::1@54 Comment out all DEFAULT UPSTREAM and add Mullvad upstream_recursive_servers: - address_data: 194.242.2.4 tls_auth_name: "base.dns.mullvad.net" @@ -63,6 +68,16 @@ Comment out all DEFAULT UPSTREAM and add Mullvad upstream_recursive_servers: tls_auth_name: "base.dns.mullvad.net" Be aware of yaml's needs for proper indentation (copy and paste from DEFAULT UPSTREAM to be sure) +Adjust dnsmasq config file: +doas nvim /etc/dnsmasq.conf +Ensure default port is 53: +port=53 +Adjust listening server: +server=127.0.0.1#54 +listen-address=127.0.0.1 +Uncomment no-resolv: +no-resolv + Edit /etc/resolv.conf to have the following: nameserver ::1 nameserver 127.0.0.1 @@ -71,5 +86,9 @@ options trust-ad And make resolv.conf immutable: doas chattr +i /etc/resolv.conf -Start stubby and test, visit (with browser with no DNS on): +Start stubby and dnsmasq: +doas sv start stubby && doas sv start dnsmasq +You may have to kill port 53 before this will work. + +Test, visit (with browser with no DNS on): https://mullvad.net/en/check diff --git a/updates.txt b/updates.txt index b85c384d..70ad0d21 100755 --- a/updates.txt +++ b/updates.txt @@ -792,15 +792,20 @@ doas pacman -S transmission-cli 06/23/2025 Setup Device Level DNS Resolver: -Install stubby: -doas pacman -S stubby stubby-runit +Install stubby and dnsmasq-runit: +doas pacman -S stubby stubby-runit dnsmasq-runit doas ln -s /etc/runit/sv/stubby /run/runit/service/ +doas ln -s /etc/runit/sv/dnsmasq/ /run/runit/service/ Adjust stubby init script to: exec chpst -U stubby stubby Adjust stubby config file: doas nvim /etc/stubby/stubby.yml +Adjust the listen_addresses field: +listen_addresses: + - 127.0.0.1@54 + - 0::1@54 Comment out all DEFAULT UPSTREAM and add Mullvad upstream_recursive_servers: - address_data: 194.242.2.4 tls_auth_name: "base.dns.mullvad.net" @@ -808,6 +813,16 @@ Comment out all DEFAULT UPSTREAM and add Mullvad upstream_recursive_servers: tls_auth_name: "base.dns.mullvad.net" Be aware of yaml's needs for proper indentation (copy and paste from DEFAULT UPSTREAM to be sure) +Adjust dnsmasq config file: +doas nvim /etc/dnsmasq.conf +Ensure default port is 53: +port=53 +Adjust listening server: +server=127.0.0.1#54 +listen-address=127.0.0.1 +Uncomment no-resolv: +no-resolv + Edit /etc/resolv.conf to have the following: nameserver ::1 nameserver 127.0.0.1 @@ -816,5 +831,9 @@ options trust-ad And make resolv.conf immutable: doas chattr +i /etc/resolv.conf -Start stubby and test, visit (with browser with no DNS on): +Start stubby and dnsmasq: +doas sv start stubby && doas sv start dnsmasq +You may have to kill port 53 before this will work. + +Test, visit (with browser with no DNS on): https://mullvad.net/en/check