chore: use manually configured dns servers in systemd-resolved

knowledge base/systemd.md

@@ -110,6 +110,9 @@ journalctl --disk-usage
 sudo journalctl --vacuum-size='1G'
 sudo journalctl --vacuum-time='1years'
 
+# Show the current time settings.
+timedatectl
+
 # List available timezones.
 timedatectl list-timezones
 
@@ -134,7 +137,7 @@ sudo timedatectl set-ntp false
 # Check the time and timezones state.
 timedatectl status
 
-# Show the current hostname state.
+# Show the current hostname settings.
 hostnamectl
 hostnamectl --pretty status
 hostnamectl --static status
@@ -142,6 +145,20 @@ hostnamectl --static status
 # Set hostnames.
 hostnamectl set-hostname 'static_hostname' --static
 hostnamectl set-hostname 'pretty_hostname' --pretty
+
+# Show the current DNS resolution settings.
+resolvectl status
+resolvectl status 'eth0'
+
+# Get an address-ip resolution and viceversa.
+resolvectl query 'www.0pointer.net'
+resolvectl query '85.214.157.71'
+
+# Retrieve PGP keys.
+resolvectl openpgp 'zbyszek@fedoraproject.org'
+
+# Restart the DNS resolver.
+sudo systemctl restart 'systemd-resolved.service'
 ```
 
 ## User services
@@ -208,6 +225,29 @@ Storage=persistent
    sudo service 'network-manager' restart
    ```
 
+### Ignore the DNS servers list given by the DHCP server
+
+Set the following lines in any network-specific file for which you want to ignore DNS servers from DHCP (like `/etc/systemd/network/eth0.network`), or in the global settings (`/etc/systemd/resolved.conf` or any file in `/etc/systemd/resolved.conf.d/`):
+
+```ini
+[DHCP]
+UseDNS=false
+```
+
+Restarting the `systemd-resolved` service seems to not be enough. Restarting the host changed the settings.
+
+### Manually set DNS servers
+
+Set the following lines in the global settings (`/etc/systemd/resolved.conf` or any file in `/etc/systemd/resolved.conf.d/`), or in any network-specific file you want to set DNS servers for (like `/etc/systemd/network/eth0.network`):
+
+```ini
+[Resolve]
+DNS=192.168.1.1 # Local router
+FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Cloudflare
+```
+
+Restart the `systemd-resolved` service to apply the new settings.
+
 ## Sources
 
 - [How to disable systemd-resolved in Ubuntu]

knowledge base/turris os.md

@@ -329,7 +329,7 @@ Install and configure Pi-hole in the container:
 hostnamectl set-hostname 'pi-hole'
 
 # Install pi-hole.
-DEBIAN_FRONTEND='noninteractive' apt-get install --assume-yes 'ca-certificates' 'curl'
+DEBIAN_FRONTEND='noninteractive' apt-get install --assume-yes 'ca-certificates' 'curl' 'unattended-upgrades'
 curl -sSL 'https://install.pi-hole.net' | bash
 
 # Follow the guided procedure.
@@ -339,6 +339,20 @@ curl -sSL 'https://install.pi-hole.net' | bash
 
 # Update pi-hole as a whole, if needed.
 /etc/.pihole/pihole -up
+
+# Set the router as the primary DNS server.
+sed -E -i.bak 's|^#?\s*DNS\s*=\s*.*$|DNS=192.168.1.1|' '/etc/systemd/resolved.conf'
+
+# Set Cloudflare as the fallback DNS server.
+# Optional.
+sed -E -i.bak 's|^#?\s*FallbackDNS\s*=\s*.*$|FallbackDNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Cloudflare|' '/etc/systemd/resolved.conf'
+
+# Set the interface to ignore DNS lists given by the DHCP server.
+cp '/etc/systemd/network/eth0.network' '/etc/systemd/network/eth0.network.bak'
+cat >> '/etc/systemd/network/eth0.network' <<EOF
+[DHCP]
+UseDNS=false
+EOF
 ```
 
 Finish setting up the container as explained above.<br/>
@@ -349,7 +363,7 @@ Then, in Turris OS:
 # Keep the router as secondary.
 uci set dhcp.lan.dhcp_option='6,192.168.111.2,192.168.111.1'
 
-# The dns server address in the IPv6 RA should be the container's ULA address
+# The DNS server address in the IPv6 RA should be the container's ULA address
 # since the global routable IPv6 address tend to change daily.
 uci add_list dhcp.lan.dns="$(lxc-info --name pi-hole | grep -E 'IP.* f[cd]' | sed 's/IP: *//')"
 
@@ -366,6 +380,7 @@ Suggestions:
 - [SSH]:
   - Change the SSH port from the default `22` value.
   - Restrict login to specific IP addresses.
+  - Restrict authentication options to keys.
 
 ## The SFP+ caged module