This gist will explain how to setup DNS-over-TLS
on your local computer.
To make it work, you need at least systemd
version 237 or 242.
I'll use the version 242 in this gist.
You can check this gist if you need have the version 237 and want to upgrade it to version 242.
You will need to edit the file /etc/systemd/resolved.conf
and add the following content:
[Resolve]
DNS=9.9.9.9 1.1.1.1
FallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4
Domains=~.
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=opportunistic
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
For Ubuntu 20.04.x, change
DNSOverTLS=opportunistic
toDNSOverTLS=yes
.Beware the
systemd
version might be 245 or upper.
Now you can restart the service:
sudo systemctl enable --now systemd-resolved ; systemctl status systemd-resolved -l
Create required symlink
:
sudo ln -sfvn /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Reboot to complete changes.
You should get a similar result on success with systemd-resolve --status
or resolvectl status
:
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: yes
DNSSEC supported: no
Current DNS Server: [REDACTED]
DNS Servers: [REDACTED]
DNS Domain: ~.
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 3 (wlp2s0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: yes
DNSSEC supported: yes
Link 2 (enp3s0)
Current Scopes: none
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: opportunistic
DNSSEC setting: yes
DNSSEC supported: yes
Now to verify that everything is working correctly, you'll have to run some commands:
# Check systemd-resolved status
resolvectl status
# Check local resolver status
sudo ss -lntp | grep '\(State\|:53 \)'
# Test against not DNSSEC server
resolvectl query sigfail.verteiltesysteme.net
# Test against DNSSEC server
resolvectl query sigok.verteiltesysteme.net
# Flush DNS cache
sudo resolvectl flush-caches
# Test standard DNS port (should output local resolver)
sudo tcpdump -vni any port 53
# Test secure DNS port (should output real queries)
sudo tcpdump -vni any port 853
journalctl -f | grep systemd-resolved