Even though we can have DNS over TLS (DoT) enabled easily since Android 9 with Private DNS option (all we need is a TLS address of the DNS resolver service we want to use), it's not as easy on Linux. There's already a request to have this feature in the settings menu (GNOME). Until then, we'll have to do a little bit of CLI in a terminal. Therefore, I think it's worth writing here.
What is DNS over TLS? Why is it so important? How would this help your system to be more secure (for free)? Basically, DNS protection means you block bad web addresses, hence significantly reducing the chance of malicious software/scams/etc. from entering your system, rather than let it get in first then (hopefully) fix it later. I recommend reading this link for more info.
The main purpose of this post today is how to turn this feature on easily in just 4 steps. Without further ado, let's enable DNS over TLS (DoT) on openSUSE Tumbleweed in the easiest and straight forward way.
1. Install systemd-network
package.
We need to install systemd-network
package, which is not installed by default on openSUSE Tumbleweed. Because this package provides systemd-resolved
that we'll use as our new resolver service.
sudo zypper install systemd-network
2. Edit /etc/systemd/resolved.conf
file.
First, you have to decide whether you want to globally enable DNS over TLS on all connections from now on, or just per connection basis (useful if you want to use different DNS resolver services for your connections).
2.1. Setting up DNS over TLS globally for all connections.
This is easy and I would recommend anyone to go with this route. So, we can set it and forget it. We will edit /etc/systemd/resolved.conf
file by:
sudo nano /etc/systemd/resolved.conf
Inside the file, all lines are commented with #
(have no effect) by default. We will change DNS=
and DNSOverTLS=no
by removing #
in front of them first (uncommenting the lines).
[Resolve]
DNS=
DNSOverTLS=no
For DNS=
, we will have to decide which DNS resolver service we want to use as our DNS resolver. I recommend Quad9, as it also comes with anti-malware and other security features by default. The test result from Lawrence Systems when comparing Cloudflare and NextDNS is pretty impressive. So, this will be our cloud firewall. Also, Quad9 does not collect identifiable data from the users, see from their privacy policy here.
DNSOverTLS
is a switch. We can turn DNS over TLS on by yes
, and off by no
. Moreover, if we set this switch to yes
, it's also a kill switch, i.e. If our DNS resolver is down or doesn't support encryption (your ISP's DNS resolver), we won't be able to connect to the internet at all. However, if by any chance, you want to connect to the internet even without DNS encryption/fallback to your current insecure connection, you can set this switch to opportunistic
- NOT RECOMMEND.
Therefore, here's our setting in /etc/systemd/resolved.conf
:
[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSOverTLS=yes
For more options on Quad9 address, see here.
2.2. Setting up DNS over TLS as per connection.
Open your connection settings in GNOME Settings. Then in IPv4 tab, turn the Automatic DNS switch off, then fill in the IPv4 address of your preferred DNS resolver service - I recommend Quad9, as shown in the screenshot below:
Also fill in the IPv6 address accordingly, as shown in the screenshot below:
Don't forget to hit Apply button to save the settings!
Then, open /etc/systemd/resolved.conf
file by sudo nano /etc/systemd/resolved.conf
. Then, in the file:
[Resolve]
DNSOverTLS=yes
DNSOverTLS
can beyes
if you want a kill switch (you won't be able to connect to the internet by default, unless you set up DNS resolver address that supports DNS encryption), oropportunistic
to connect to everything first, then set it later.For more options on Quad9 address, see here.
3. Make a necessary symlink.
In order to make use of systemd-resolved
that we configured in the previous step, we'll have to make /etc/resolv.conf
a symlink to /run/systemd/resolve/stub-resolv.conf
. We can make this symlink by:
sudo ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-
ln
command is used to create links between files. -
-sf
It's the combination of option-s
for--symbolic
and option-f
for--force
. We use this option to force make a symlink.
4. Enable systemd-resolved
sudo systemctl enable systemd-resolved.service
5. Restart the network to enable systemd-resolved
, and finally enable DNS over TLS.
This is the last step! Before we can see our changes, we will need to restart both systemd-resolved
and NetworkManager
services by:
sudo systemctl restart systemd-resolved.service && sudo service NetworkManager restart
After all the steps above, now we should have our DNS over TLS enabled. We can check this by running in the terminal (see here):
dig +short txt proto.on.quad9.net.
If the response is dot.
, then it is working! And we can check whether we've configured Quad9 properly on Quad9 test page here.
Another page I would recommend for checking your DNS security is dnscheck.tools.
Note: DNSSEC feature in
systemd-resolved
is an experimental feature, but it hasn't been ducumented as such for some reasons, see systemd's PR #28386. Basically, no one should use this feature in their production and expect the feature to work correctly. That's why I don't enable DNSSEC in this walkthrough. Also, DNSSEC is implemented and enabled on Quad9's resolver by default. So, there's no need to enable it in your system.
I think this is it for today. I hope this helps, bye 💨
Cover Photo by Patrick Turner on Unsplash
Robot Photo by Arseny Togulev on Unsplash
Top comments (7)
Thank you very much for this blog. Finally I can use secure DNS on tumbleweed.
Thanks! I am glad it helps 🥰
I am trying to set up DNSSEC on Tumbleweed using Wicked. Wicked worked fine with DHCP but when adding systemd-resolved it fails to make a connection, "connections error to ::1#53: connection refused"
"no servers could be reached" using nslookup or dig
Any help appreciated.
I am not familiar with Wicked. I would recommend using only
systemd-resolved
if you could, as it's not made specifically for any distro in mind. It also integrates well with the system, if not better than Wicked.I got it to work with Wicked and systemd-resolved.conf. I added DNSSEC=yes to /etc/systemd/resolved.conf and linked /etc/resolv.conf to /run/netconfig/resolv.conf
I'm glad it works out for you! 👍️
Wicked is like NetworkManager or WICD. I am also using xfce4 rather than gnome. I can switch over to NetworkManager but then YAST can't configure some of the Network settings. I added the package systemd-resolved, but there is no resolved.conf, just resolved.conf.d. I added resolved.conf as you indicated but there is no /run/systemd/resolve/stub-resolv.conf to link to resolved.conf. I am running tumbleweed version 20240712