From 4edd6ab5f1b4f15826eb642eddd0cb983306c764abc7b271c7a78e9be10cf9cf Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 4 Dec 2025 22:30:32 +0100 Subject: [PATCH] V8.13.536.2025.12.04 Signed-off-by: Marc S. Weidner --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 649fd41..a7f4441 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,13 @@ are aligned with the `CISS.debian.installer` baseline, ensuring a unified crypto an installed system. For an overview of the entire build process, see: **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)** +When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: +``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the +**CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC +validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not +silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage +and spoofing surfaces. + Check out more leading world-class services powered by Centurion Intelligence Consulting Agency: * [CenturionDNS Resolver](https://eddns.eu/) * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)