Use systemd-resolved to Enable DNS over TLS Support

Last updated on 2021-10-19, Tue, 12:37 AM

阅读中文版本

Intention

Use DNS over TLS to avoid potential censorship or poisoning.

Procedure

Let NetworkManager use systemd-resolved for name resolution.

sudo vim /etc/NetworkManager/NetworkManager.conf

And add such content:

[main]
dns=systemd-resolved

Save and exit, then set up DoT mode for systemd-resolved.

sudo vim /etc/systemd/resolved.conf

Edit the responsible part like this:

DNS=1.0.0.1 1.1.1.1 45.11.45.11
DNSOverTLS=yes

I chose cloudflare and dns.sb here, and you can replace them with your own choice.

You can switch on DNSSEC validation if the server supports that.

Additionally, you may need to change the DNS server in /etc/resolv.conf.

sudo vim /etc/resolv.conf

Toggle Comment all other nameservers and type:

nameservers 127.0.0.53

Save. Then set up write protect for it.

sudo chattr +i /etc/resolv.conf

Then just enable systemd-resolved and restart NetworkManager.

sudo systemctl enable --now systemd-resolved
sudo systemctl restart NetworkManager

Everything should work as expected now.

P. S.

The lookup latency may be significantly longer than expected.

Then I made a terrible typo.

D N A

#Linux #DNS
Use systemd-resolved to Enable DNS over TLS Support
https://blog.h3a.moe/en/src/d07400/
Author
H3arn
Posted on
2021-10-18, Mon, 07:12 PM
Updated on
2021-10-19, Tue, 12:37 AM
Licensed under