Use systemd-resolved to Enable DNS over TLS Support

This article was last updated on:12:37 AM, Tue, October 19th, 2021

阅读中文版本

Intention

Use DNS over TLS to avoid potential censorship or poisoning.

Procedure

Let NetworkManager use systemd-resolved for name resolution.

sudo vim /etc/NetworkManager/NetworkManager.conf

And add such content:

[main]
dns=systemd-resolved

Save and exit, then set up DoT mode for systemd-resolved.

sudo vim /etc/systemd/resolved.conf

Edit the responsible part like this:

DNS=1.0.0.1 1.1.1.1 45.11.45.11
DNSOverTLS=yes

I chose cloudflare and dns.sb here, and you can replace them with your own choice.

You can switch on DNSSEC validation if the server supports that.

Additionally, you may need to change the DNS server in /etc/resolv.conf.

sudo vim /etc/resolv.conf

Toggle Comment all other nameservers and type:

nameservers 127.0.0.53

Save. Then set up write protect for it.

sudo chattr +i /etc/resolv.conf

Then just enable systemd-resolved and restart NetworkManager.

sudo systemctl enable --now systemd-resolved
sudo systemctl restart NetworkManager

Everything should work as expected now.

P. S.

The lookup latency may be significantly longer than expected.

Then I made a terrible typo.

D N A