Notes on safe network setup
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Martins Eglitis 9113158b46 Initial commit 2 weeks ago Initial commit 2 weeks ago


Notes on safe and convenient network setup.


  • unbound - serves as a caching DNS resolver.
  • expat - provides DNSSEC validation.
  • dnscrypt- - serves as a DNS proxy, provides encryption, DNSSEC compatible.


  • # vi /etc/udev/rules.d/10-network.rules - create the rules for renaming the network interfaces. Find the original addresses using ip a.
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="01:23:45:67:89:ab", NAME="wired"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="11:22:33:44:55:66", NAME="wireless"
  • # vi /etc/systemd/network/ - spoof the original MAC addresses.
MACAddress=01:23:45:67:89:ab 11:22:33:44:55:66

NamePolicy=kernel database onboard slot path
  • # vi /etc/systemd/network/ - configure the DHCP for both interfaces.
Name=wired wireless

  • # systemctl enable systemd-networkd.service - enable the systemd network service.

  • # vi /etc/resolv.conf - edit the resolver config, forward to unbound.

#use local DNS cache (unbound)
nameserver ::1
options edns0 single-request-reopen
  • # vi /etc/unbound/unbound.conf - edit the unbound config and forward to dnscrypt.
	use-syslog: yes
	do-daemonize: no
	username: "unbound"
	directory: "/etc/unbound"
	trust-anchor-file: trusted-key.key
	do-not-query-localhost: no

	name: "."
	#use dnscrypt
	forward-addr: ::1@53000
  • # vi /etc/dnscrypt-proxy/dnscrypt-proxy.toml - edit the dnscrypt config. Using specific server names will speed things up but the server has to support DNSSEC. If unsure, leave the server_names empty and enable require_dnssec.
server_names = []
require_dnssec = true