Skip to content

Instantly share code, notes, and snippets.

@Jiab77

Jiab77/setup-DNS-over-TLS-with-systemd-on-ubuntu-18.04.md

Last active September 18, 2022 20:48
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Jiab77/305b8dc570c4886009417fef67bb0464 to your computer and use it in GitHub Desktop.
Save Jiab77/305b8dc570c4886009417fef67bb0464 to your computer and use it in GitHub Desktop.
Download ZIP
Setup DNS-over-TLS with systemd on Ubuntu 18.04
Raw
setup-DNS-over-TLS-with-systemd-on-ubuntu-18.04.md

Setup DNS-over-TLS with systemd on Ubuntu 18.04

This gist will explain how to setup DNS-over-TLS on your local computer.

Verify systemd version

To make it work, you need at least systemd version 237 or 242.

I'll use the version 242 in this gist.

You can check this gist if you need have the version 237 and want to upgrade it to version 242.

Enable systemd-resolved

You will need to edit the file /etc/systemd/resolved.conf and add the following content:

[Resolve]
DNS=9.9.9.9 1.1.1.1
FallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4
Domains=~.
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=opportunistic
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes

For Ubuntu 20.04.x, change DNSOverTLS=opportunistic to DNSOverTLS=yes.

Beware the systemd version might be 245 or upper.

Now you can restart the service:

sudo systemctl enable --now systemd-resolved ; systemctl status systemd-resolved -l

Create required symlink:

sudo ln -sfvn /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Reboot to complete changes.

Validation

You should get a similar result on success with systemd-resolve --status or resolvectl status:

Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic
      DNSSEC setting: yes
    DNSSEC supported: no
  Current DNS Server: [REDACTED]
         DNS Servers: [REDACTED]
          DNS Domain: ~.
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 3 (wlp2s0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic
      DNSSEC setting: yes
    DNSSEC supported: yes

Link 2 (enp3s0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: opportunistic
      DNSSEC setting: yes
    DNSSEC supported: yes

Now to verify that everything is working correctly, you'll have to run some commands:

# Check systemd-resolved status
resolvectl status

# Check local resolver status
sudo ss -lntp | grep '\(State\|:53 \)'

# Test against not DNSSEC server
resolvectl query sigfail.verteiltesysteme.net

# Test against DNSSEC server
resolvectl query sigok.verteiltesysteme.net

# Flush DNS cache
sudo resolvectl flush-caches

# Test standard DNS port (should output local resolver)
sudo tcpdump -vni any port 53

# Test secure DNS port (should output real queries)
sudo tcpdump -vni any port 853

Show logs

journalctl -f | grep systemd-resolved

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment