Use DNS over TLS & enable DNSSEC

To disable wireguard interfaces whenever applicable

host_vars/desktop/network.yml

@@ -2,7 +2,7 @@ lan_interface: enp1s0
 lan_interface_mac: 00:d8:61:9f:52:65
 
 local_network_address: 192.168.2.15/24
-local_network_dns: 192.168.2.254
+local_network_dns: 9.9.9.9 149.112.112.112
 local_network_gateway: 192.168.2.254
 
 hostname: desktop

host_vars/xps/network.yml

@@ -3,12 +3,14 @@ wireless_interface_mac: 98:2c:bc:e3:ff:bc
 
 local_network_ssid: KPNAE51C6
 local_network_address: 192.168.2.9/24
-local_network_dns: 192.168.2.254
+local_network_dns: 9.9.9.9 149.112.112.112
 local_network_gateway: 192.168.2.254
 
 frans_network_ssid: KPNDD1056
 frans_network_address: 192.168.2.9/24
-frans_network_dns: 192.168.2.254
+frans_network_dns: 9.9.9.9 149.112.112.112
 frans_network_gateway: 192.168.2.254
 
+default_network_dns: 9.9.9.9 149.112.112.112
+
 hostname: xps

playbook.yml

@@ -29,7 +29,8 @@
     - name: Personal provisiong
       when: "'personal' in group_names"
       block:
-        # TODO: require (w)lan interfaces before configuring these
+        # Note: set `network.dns.native_https_query` in about:config to prevent
+        # DoH requests by default. See https://github.com/arkenfox/user.js/issues/1881
         - name: Wireguard provisioning
           ansible.builtin.import_tasks: 'tasks/personal/all/wireguard.yml'
           tags: wireguard

templates/personal/all/mpv/config.j2

@@ -8,3 +8,6 @@ hwdec=vaapi
 
 audio-samplerate=128000
 audio-format=s64
+
+# Do not close the window on exit
+keep-open=yes

templates/personal/desktop/network/enp1s0.network.j2

@@ -5,13 +5,13 @@ Name={{ lan_interface }}
 
 [Network]
 Address={{ local_network_address }}
-DNS={{ local_network_dns }}
 Gateway={{ local_network_gateway }}
-DHCP=no
+DNS={{ local_network_dns }}
 MulticastDNS=yes
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=no
 LinkLocalAddressing=no
 IPv6AcceptRA=no
 IPv6SendRA=no
-
-[Link]
 RequiredForOnline=routable

templates/personal/desktop/network/wg0.network.j2

@@ -7,3 +7,4 @@ Name={{ vpn_default.interface }}
 Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
 DNS={{ vpn_default.dns }}
 Domains={{ vpn_default.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/personal/desktop/network/wg1.network.j2

@@ -7,3 +7,4 @@ Name={{ vpn_media.interface }}
 Address={{ vpn_media.ip }}/{{ vpn_media.prefix }}
 DNS={{ vpn_media.dns }}
 Domains={{ vpn_media.domains | join(' ') }}
+BindCarrier={{ lan_interface }}

templates/personal/xps/network/wg0.network.j2

@@ -7,3 +7,4 @@ Name={{ vpn_default.interface }}
 Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
 DNS={{ vpn_default.dns }}
 Domains={{ vpn_default.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}

templates/personal/xps/network/wg1.network.j2

@@ -7,3 +7,4 @@ Name={{ vpn_media.interface }}
 Address={{ vpn_media.ip }}/{{ vpn_media.prefix }}
 DNS={{ vpn_media.dns }}
 Domains={{ vpn_media.domains | join(' ') }}
+BindCarrier={{ wireless_interface }}

templates/personal/xps/network/wlan0-frans.network.j2

@@ -6,10 +6,12 @@ SSID={{ frans_network_ssid }}
 
 [Network]
 Address={{ frans_network_address }}
-DNS={{ frans_network_dns }}
 Gateway={{ frans_network_gateway }}
-DHCP=no
+DNS={{ frans_network_dns }}
 MulticastDNS=yes
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=no
 LinkLocalAddressing=no
 IPv6AcceptRA=no
 IPv6SendRA=no

templates/personal/xps/network/wlan0-local.network.j2

@@ -6,10 +6,12 @@ SSID={{ local_network_ssid }}
 
 [Network]
 Address={{ local_network_address }}
-DNS={{ local_network_dns }}
 Gateway={{ local_network_gateway }}
-DHCP=no
+DNS={{ local_network_dns }}
 MulticastDNS=yes
+DNSOverTLS=yes
+DNSSEC=yes
+DHCP=no
 LinkLocalAddressing=no
 IPv6AcceptRA=no
 IPv6SendRA=no

templates/personal/xps/network/wlan0.network.j2

@@ -2,6 +2,9 @@
 MACAddress={{ wireless_interface_mac }}
 
 [Network]
+DNS={{ default_network_dns }}
+DNSOverTLS=yes
+DNSSEC=yes
 DHCP=yes
 RequiredForOnline=routable
 IgnoreCarrierLoss=3s