Open in app

Sign in

Write

Sign in

Enable DNS Over TLS in Linux using Systemd

Jawad Alkassim
3 min readSep 16, 2020

--

For those who didn’t know what DNS over TLS means

DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. qouted from DNS-OVER-TLS wikipedia page.

Internet is not a happy place if you’re not Well protected, not all browsers support DNS over TLS or DNS over HTTPS, and none of them use it by default

Systemd has a perfect service called systemd-resolved , allows you to tunnel all DNS requests from your system with DNS over TLS, that means extra protection and there’s no need for your browser to bring this feature because you’re already full protected,

Systemd-resolved enabled by default in Ubuntu and Ubuntu based Distros

Step 1 (Optinal) : check service status in your system :

$ resolvectl status

Step 2 : Set-up systemd-resolved

$ cat /etc/systemd/resolved.conf

should give you this output:

[Resolve]
#DNS=
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes

Now we have to modify this file:

$ sudo nano /etc/systemd/resolved.conf

apply these changes and save the file

[Resolve]
DNS=1.1.1.1 1.0.0.1
FallbackDNS=8.8.8.8 8.8.4.4
Domains=~.
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes

Make sure remove ‘#’ Before the modified options.

A quick note about the options:

  • DNS: A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers
  • FallbackDNS: A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers.
  • Domains: These domains are used as search suffixes when resolving single-label host names, ~. stand for use the system DNS server defined with DNS= preferably for all domains.
  • DNSOverTLS: If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and has a valid certificate for it’s IP.
  • DNSSEC: allows a user, application, or recursive resolver to trust that the answer to their DNS query is what the domain owner intends it to be.

Step 3 : Restart Services or Log out

$ sudo systemctl restart NetworkManager

Step 4 : Check if everything is fine

$ resolvectl status

the Output should be:

Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: yes
      DNSSEC setting: yes
    DNSSEC supported: yes
  Current DNS Server: 1.1.1.1
         DNS Servers: 1.1.1.1
                      1.0.0.1
Fallback DNS Servers: 8.8.8.8
                      8.8.4.4
          DNS Domain: ~.

Also test your connection here :

https://1.1.1.1/help

Step 5: For Fedora users

systemd-resolved is not enabled by default:

After Completing Step 2, Fedora users Should continue from here

First: Create a file in /etc/NetworkManager/conf.d named 10-dns-systemd-resolved.conf.

$ cat /etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf
[main]
dns=systemd-resolved
systemd-resolved=false

Second: restart services

$ sudo systemctl start systemd-resolved
$ sudo systemctl enable systemd-resolved
$ sudo systemctl restart NetworkManager
Linux
Linux Tutorial
Ubuntu
Systemd
Technology

--

--

Jawad Alkassim

Written by Jawad Alkassim

2 Followers

ITE Student At Syrian Virtual University

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams