From 3e97fd298cc03bb43791a1a7f76f41247d8ee6d3 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Wed, 29 May 2024 18:16:17 -0700
Subject: [PATCH] Add notes on DNS handling

Signed-off-by: Tommy <contact@tommytran.io>
---
 Fedora-Server-40.sh |  5 ++++-
 README.md           | 13 ++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Fedora-Server-40.sh b/Fedora-Server-40.sh
index 2467a86..2227ef9 100644
--- a/Fedora-Server-40.sh
+++ b/Fedora-Server-40.sh
@@ -186,4 +186,7 @@ sudo systemctl restart irqbalance
 
 # Setup notices
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
-unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
\ No newline at end of file
+unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
+
+# Final notes to the user
+output 'Server setup complete. To use unbound for DNS, you need to reboot.'
\ No newline at end of file
diff --git a/README.md b/README.md
index 393893e..9c9a660 100644
--- a/README.md
+++ b/README.md
@@ -2,10 +2,20 @@
 My setup scripts for my workstations. You should edit the scripts to your liking before running it.
 Please run the scripts as your actual user and not root. Provide sudo password when it asks you to. Flatpak packages and themes/icons are only installed for your user and not system wide. <br />
 
-The printing stack (cups) is removed as I do not use it. Bluetooth is disabled by KickSecure's kernel module blacklist.
+The printing stack (cups) is removed as I do not use it.
 
 Visit my Matrix group: https://matrix.to/#/#tommytran732:matrix.org
 
+## Notes on DNS handling
+
+For desktop installations, the assumption here is that you will use a VPN of some sort for your privacy. No custom DNS server will be configured, as websites [can detect](https://www.dnsleaktest.com/) that you are using a different DNS server from your VPN provider's server.
+
+For server installations (except Proxmox), Unbound will be configured to handle local DNSSEC validation. The difference in the scripts on how this is set up are because of the following reasons:
+
+- Each distribution needs its own Unbound configuration due to version differences and how each distro package it.
+- If both Unbound and systemd-resolved are preset on the system, whichever one get used depends entirely depends on whether systemd-resolved is running and controlling `/etc/resolv.conf` or not. My scripts set Unbound to enabled and systemd-resolved whenever possible.
+- If systemd-resolved is not present on the system, NetworkManager will take control of `/etc/resolv.conf`. RHEL does not ship with systemd-resolved, so manual configuration to set NetworkManager to use the local DNS forwarder is needed.
+
 # Arch Linux
 Check out this repository: https://github.com/tommytran732/Arch-Setup-Script <br />
 
@@ -16,3 +26,4 @@ Checkout this repository: https://github.com/tommytran732/QubesOS-Scripts <br />
 # Fedora CoreOS
 
 Checkout this repository: https://github.com/tommytran732/Fedora-CoreOS-Ignition
+