This package provides the network configuration for Ditana GNU/Linux, including DNS, SSH, and NetworkManager settings.
ditana-network is designed to establish a secure and privacy-focused network environment in Ditana. It configures NetworkManager, SSH, and systemd-resolved to ensure consistent and robust DNS resolution while enhancing security through modern protocols like DNSSEC and DNS-over-TLS.
-
NetworkManager DNS Configuration (
/etc/NetworkManager/conf.d/dns.conf)
Configures NetworkManager to delegate DNS resolution to systemd-resolved, centralizing all DNS management under systemd. -
SSH Configuration (
/etc/ssh/sshd_config.d/80-ditana.conf)
Enables public key authentication by default, reinforcing secure remote access via SSH. -
systemd-resolved Configuration (
/etc/systemd/resolved.conf.d/90-ditana.conf)
Sets Cloudflare as the primary DNS provider and Quad9 as the fallback. It also enables DNSSEC validation and opportunistic DNS-over-TLS encryption for enhanced security.
Ditana GNU/Linux utilizes systemd-resolved to centralize DNS configuration and management, avoiding conflicts and inconsistencies that can arise from multiple DNS resolvers. The package explicitly avoids creating or linking a traditional /etc/resolv.conf file, instead relying on systemd-resolved's internal mechanisms. This setup ensures a streamlined approach to DNS handling and offers compatibility with most network-dependent applications.
However, it’s worth noting that while /etc/resolv.conf is not directly managed by this package, systemd-resolved dynamically maintains this file.
Ditana GNU/Linux employs two key DNS security technologies:
-
DNSSEC (Domain Name System Security Extensions):
DNSSEC adds a layer of security to DNS queries by authenticating the origin of DNS data. It prevents DNS spoofing and ensures that users connect to legitimate websites by validating the authenticity of DNS responses.Benefits of DNSSEC:
- Authentication: Verifies that DNS records haven't been tampered with.
- Trust: Enhances user confidence in online transactions by maintaining the integrity of DNS data.
-
DNS-over-TLS:
DNS-over-TLS encrypts DNS queries, protecting them from eavesdropping and interception. This technology ensures confidentiality for DNS requests, complementing the integrity checks provided by DNSSEC.Benefits of DNS-over-TLS:
- Privacy: Shields DNS queries from third-party monitoring.
- Security: Prevents tampering with DNS queries in transit.
By default, Ditana configures the following DNS servers:
- Primary: Cloudflare DNS (IPv4:
1.1.1.1,1.0.0.1, and IPv6 equivalents) - Fallback: Quad9 DNS (IPv4:
9.9.9.9,149.112.112.112, and IPv6 equivalents)
Cloudflare’s DNS servers are chosen for their speed and privacy focus, ensuring that DNS queries are handled securely and efficiently. Quad9 offers a reliable fallback with additional threat blocking features.
With these configurations, Ditana users benefit from secure and private DNS resolution by default. These measures automatically protect against certain types of attacks like DNS spoofing, man-in-the-middle attacks, and unauthorized data collection. Users do not need to take additional steps to secure their DNS settings, as this package provides a robust and streamlined configuration.
The ditana-network package is installed automatically as part of Ditana GNU/Linux and is not intended for manual installation. To update the package manually, use the following command:
sudo pacman -S ditana-networknetworkmanagerinetutilssystemd
-
NetworkManager DNS Configuration (
/etc/NetworkManager/conf.d/dns.conf):[main] dns=systemd-resolved
-
SSH Configuration (
/etc/ssh/sshd_config.d/80-ditana.conf):# sshd_config defaults on Ditana GNU/Linux PubkeyAuthentication yes -
systemd-resolved Configuration (
/etc/systemd/resolved.conf.d/90-ditana.conf):# Centralized DNS management under systemd-resolved [Resolve] DNS= FallbackDNS= DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 FallbackDNS=9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 DNSSEC=allow-downgrade DNSOverTLS=opportunistic Domains=~.
For more information about Ditana GNU/Linux, visit https://ditana.org
