feat: switch DNS resolver to Unbound from systemd-resolved by alexvojproc · Pull Request #1365 · secureblue/secureblue

alexvojproc · 2025-09-19T18:19:33Z

This PR switches the local DNS stub resolver to Unbound, due to systemd-resolved's unreliable DNSSEC validation and broader concerns. See #1174.

Changelog:

Remove systemd-resolved and install dnsconfd-unbound
Harden unbound.service and configure Unbound
Harden dnsconfd.service
Migrate existing configuration to NetworkManager with secureblue-migrate-dns.service
Refactor ujust dns-selector and rewrite in Python using sandboxing framework
Rewrite ujust audit-secureblue audit_dns()
Update i18n for ujust audit-secureblue
Added integration test

Not included in this PR:

Per-connection DNS, to simplify configuration of DNS with VPNs and work/public networks
- Also VPN-enlightened ujust audit-secureblue
Zero-trust DNS even in Anaconda by setting kargs, so no leaks (possible from F43)
Investigation needed for GNOME's overly strict GUI DNS validation
DNS allowlisting

alexvojproc added 3 commits September 18, 2025 08:05

feat: switch DNS resolver to Unbound from systemd-resolved (#1335)

b7cb8cb

fix(securedns): make DoT hostnames optional (#1359)

b1801fe

fix(securedns): fix DoH flow, remove DNSForge (#1364)

3d4a4cd

alexvojproc requested a review from RoyalOughtness as a code owner September 19, 2025 18:19

Merge branch 'live' into staging

c301a8e

RKNF404 approved these changes Sep 19, 2025

View reviewed changes

RoyalOughtness approved these changes Sep 19, 2025

View reviewed changes

RoyalOughtness enabled auto-merge (squash) September 19, 2025 18:24

RoyalOughtness merged commit e4c2941 into live Sep 19, 2025
38 of 39 checks passed

Provide feedback