Major set of updates

dns/dot/index.md

@@ -5,6 +5,8 @@ permalink: /dns-over-tls/
 
 * [Resolvers that support DNS-over-TLS](../resolvers.md#dns-over-tls)
 
+For making your own resolver using Haproxy, see [this](../../haproxy.md#dns-over-tls)
+
 ## Linux
 
 * [Unbound](unbound-linux.md) (Linux)
@@ -21,4 +23,4 @@ Use the integrated Private DNS feature.
 
 ### Other Android versions
 
-* [Nebulo](https://smokescreen.app/) (<a href="https://t.me/joinchat/I54nRleveRGP8IPmcIdySg" rel="nofollow">Telegram group</a>)
\ No newline at end of file
+* [Nebulo](https://smokescreen.app/) (<a href="https://t.me/joinchat/I54nRleveRGP8IPmcIdySg" rel="nofollow">Telegram group</a>)

dns/dot/unbound-linux.md

@@ -5,6 +5,8 @@ permalink: /dns-over-tls/unbound/linux/
 
 Filename `/etc/unbound/unbound.conf`
 
+### Debian
+
 ```
 # Unbound configuration file for Debian.
 #
@@ -27,10 +29,47 @@ forward-zone:
   forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
   forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
   forward-addr: 146.185.167.43@853#dot.securedns.eu
+  forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net
+```
+
+### Arch
+
+**DNSSEC checking is disabled due to it not working. Please help me if you find a fix.**
+
+```
+server:
+  use-syslog: yes
+  do-daemonize: no
+  username: "unbound"
+  directory: "/etc/unbound"
+  # TODO: fix DNSSEC check
+  # trust-anchor-file: trusted-key.key
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+forward-zone:
+  name: "."
+  forward-tls-upstream: yes
+
+  forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
+  forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
+  forward-addr: 146.185.167.43@853#dot.securedns.eu
+  forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net
 ```
 
 See [list of resolvers that support DNS-over-TLS](../resolvers.md#dns-over-tls)
 
+## Setting unbound as system resolver
+
+```bash
+echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf && sudo chattr +i /etc/resolv.conf
+```
+
+This sets `127.0.0.1` as nameserver and locks the file (`chattr +i`). To unlock the file, run `chattr -i /etc/resolv.conf`
+
+## Captive portals
+
+As captive portals don't allow DNS-over-TLS, you need to reset your DNS to the network's own.
+
 ## Further reading
 
-* [Actually secure DNS over TLS in Unbound](https://www.ctrl.blog/entry/unbound-tls-forwarding)
\ No newline at end of file
+* [Actually secure DNS over TLS in Unbound](https://www.ctrl.blog/entry/unbound-tls-forwarding)

dns/resolvers.md

 ---
 title: DNS resolvers
-permalink: /dns/resolvers
+permalink: /dns/resolvers/
 ---
 
 ## Plaintext
@@ -9,7 +9,7 @@ permalink: /dns/resolvers
 * [UncensoredDNS](https://blog.uncensoreddns.org/dns-servers/) (Denmark + United States)
 * [Digitalcourage](https://digitalcourage.de/support/zensurfreier-dns-server) (Germany)
 * [CZ.NIC ODVR](https://www.nic.cz/odvr/) (Czechia)
-* [DNSWarden](https://dnswarden.com/) (**Note: only port 5353 for plaintext**, Germany)
+* [DNSWarden](https://dnswarden.com/) (Note: port 53 for adblock plaintext, port 5353 for non-adblock plaintext, Germany)
 * [Snopyta.org](https://snopyta.org/) (Germany)
 * [IPredator](https://ipredator.se/page/services#service_dns) (Sweden)
 * [Cryptostorm](https://cryptostorm.is/dns.txt) (international, mainly Europe and United States)
@@ -24,11 +24,7 @@ permalink: /dns/resolvers
 * [Appliedprivacy.net](https://appliedprivacy.net/de/services/dns/) (Austria)
 * [CZ.NIC ODVR](https://www.nic.cz/odvr/) (Czechia)
 * [DNSWarden](https://dnswarden.com/) (Germany)
-
-My own:
-
-* [resolver1.lelux.fi](https://resolver1.lelux.fi/) (France)
-* [resolver2.lelux.fi](https://resolver2.lelux.fi/) (Luxembourg)
+* [Lelux.fi](https://lelux.fi/resolver/) (France + Luxembourg)
 
 Guides for using DNS-over-TLS can be found from [here](dot/index.md).
 
@@ -53,4 +49,4 @@ More DNSCrypt resolvers can be found [here](https://github.com/dyne/dnscrypt-pro
 ## Further reading
 
 * [On Firefox moving DNS to a third party](https://blog.powerdns.com/2018/09/04/on-firefox-moving-dns-to-a-third-party/) on PowerDNS Blog
-* [The big DNS Privacy Debate at FOSDEM](https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/) on PowerDNS Blog
\ No newline at end of file
+* [The big DNS Privacy Debate at FOSDEM](https://blog.powerdns.com/2019/02/07/the-big-dns-privacy-debate-at-fosdem/) on PowerDNS Blog

haproxy.md

@@ -212,32 +212,37 @@ sudo haproxy -c -- /etc/haproxy/haproxy.cfg
 listen dns
         bind :::853 v4v6 tfo ssl crt /etc/haproxy/certs
         mode tcp
-        server unbound 127.0.0.1:53
+        server resolver 127.0.0.1:53
 ```
 
+You may replace `127.0.0.1:53` with address of your resolver. I recommend using [Unbound](https://nlnetlabs.nl/projects/unbound/about/) as resolver.
+
 Try with the following command:
 
 ```bash
-kdig -d @SERVER_HOSTNAME_OR_IP +tls-ca +tls-host=TLS_HOSTNAME  whoami.v4.powerdns.org
+export SERVER_HOSTNAME="resolver2.lelux.fi" && kdig -d @$SERVER_HOSTNAME +tls-ca +tls-host=$SERVER_HOSTNAME +tls-sni=$SERVER_HOSTNAME whoami.v4.powerdns.org
 ```
 
+Replace `resolver2.lelux.fi` with your resolver address. You may replace `@$SERVER_HOSTNAME` with `@ipaddress` (replace `ipaddress`).
+
+
 It should return your DNS resolver's outgoing IP address as result.
 
 Example result:
 
 ```console
-$ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi  whoami.v4.powerdns.org
-;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(resolver1.lelux.fi), port(853), protocol(TCP)
-;; DEBUG: TLS, imported 128 system certificates
+$ export SERVER_HOSTNAME="resolver2.lelux.fi" && kdig -d @$SERVER_HOSTNAME +tls-ca +tls-host=$SERVER_HOSTNAME +tls-sni=$SERVER_HOSTNAME whoami.v4.powerdns.org
+;; DEBUG: Querying for owner(whoami.v4.powerdns.org.), class(1), type(1), server(resolver2.lelux.fi), port(853), protocol(TCP)
+;; DEBUG: TLS, imported 154 system certificates
 ;; DEBUG: TLS, received certificate hierarchy:
-;; DEBUG:  #1, CN=resolver1.lelux.fi
-;; DEBUG:      SHA-256 PIN: 2aPeuRroX59Lr5V6Zdd/rM9aok+aB3vL93HgApKT0Kc=
+;; DEBUG:  #1, CN=resolver2.lelux.fi
+;; DEBUG:      SHA-256 PIN: bC5Vi0G8FqvFrf9TgNtJomNLDxG58tEj/mlWX6oOt+E=
 ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
 ;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
 ;; DEBUG: TLS, skipping certificate PIN check
 ;; DEBUG: TLS, The certificate is trusted. 
 ;; TLS session (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
-;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53307
+;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10983
 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
 
 ;; EDNS PSEUDOSECTION:
@@ -247,11 +252,11 @@ $ kdig -d @resolver1.lelux.fi +tls-ca +tls-host=resolver1.lelux.fi  whoami.v4.po
 ;; whoami.v4.powerdns.org.		IN	A
 
 ;; ANSWER SECTION:
-whoami.v4.powerdns.org.	60	IN	A	51.158.160.192
+whoami.v4.powerdns.org.	60	IN	A	104.244.79.229
 
 ;; Received 67 B
-;; Time 2019-04-22 07:35:00 EEST
-;; From 51.158.160.192@853(TCP) in 65.4 ms
+;; Time 2019-06-25 05:24:15 EEST
+;; From 104.244.79.229@853(TCP) in 264.6 ms
 ```
 
 ### Further reading
@@ -264,4 +269,4 @@ whoami.v4.powerdns.org.	60	IN	A	51.158.160.192
 
 Coming soon
 
--->
\ No newline at end of file
+-->

wireguard.md

@@ -61,6 +61,7 @@ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
 [Interface]
 PrivateKey = PRIVATE_KEY
 Address = 10.x.x.x/x
+#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0
 
 [Peer]
 PublicKey = Server_Public_Key