Using DNS over TLS on openSUSE Linux in 4 easy steps, enable cloud firewall for free today!

Even though we can have DNS over TLS (DoT) enabled easily since Android 9 with Private DNS option (all we need is a TLS address of the DNS resolver service we want to use), it's not as easy on Linux. There's already a request to have this feature in the settings menu (GNOME). Until then, we'll have to do a little bit of CLI in a terminal. Therefore, I think it's worth writing here.

What is DNS over TLS? Why is it so important? How would this help your system to be more secure (for free)? Basically, DNS protection means you block bad web addresses, hence significantly reducing the chance of malicious software/scams/etc. from entering your system, rather than let it get in first then (hopefully) fix it later. I recommend reading this link for more info.

The main purpose of this post today is how to turn this feature on easily in just 4 steps. Without further ado, let's enable DNS over TLS (DoT) on openSUSE Tumbleweed in the easiest and straight forward way.

1. Install systemd-network package.

We need to install systemd-network package, which is not installed by default on openSUSE Tumbleweed. Because this package provides systemd-resolved that we'll use as our new resolver service.

sudo zypper install systemd-network

2. Edit /etc/systemd/resolved.conf file.

First, you have to decide whether you want to globally enable DNS over TLS on all connections from now on, or just per connection basis (useful if you want to use different DNS resolver services for your connections).
 

2.1. Setting up DNS over TLS globally for all connections.

This is easy and I would recommend anyone to go with this route. So, we can set it and forget it. We will edit /etc/systemd/resolved.conf file by:

sudo nano /etc/systemd/resolved.conf

Inside the file, all lines are commented with # (have no effect) by default. We will change DNS= and DNSOverTLS=no by removing # in front of them first (uncommenting the lines).

[Resolve]
DNS=
DNSOverTLS=no

For DNS=, we will have to decide which DNS resolver service we want to use as our DNS resolver. I recommend Quad9, as it also comes with anti-malware and other security features by default. The test result from Lawrence Systems when comparing Cloudflare and NextDNS is pretty impressive. So, this will be our cloud firewall. Also, Quad9 does not collect identifiable data from the users, see from their privacy policy here.

DNSOverTLS is a switch. We can turn DNS over TLS on by yes, and off by no. Moreover, if we set this switch to yes, it's also a kill switch, i.e. If our DNS resolver is down or doesn't support encryption (your ISP's DNS resolver), we won't be able to connect to the internet at all. However, if by any chance, you want to connect to the internet even without DNS encryption/fallback to your current insecure connection, you can set this switch to opportunistic - NOT RECOMMEND.

Therefore, here's our setting in /etc/systemd/resolved.conf:

[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSOverTLS=yes

For more options on Quad9 address, see here.

2.2. Setting up DNS over TLS as per connection.

Open your connection settings in GNOME Settings. Then in IPv4 tab, turn the Automatic DNS switch off, then fill in the IPv4 address of your preferred DNS resolver service - I recommend Quad9, as shown in the screenshot below:

Also fill in the IPv6 address accordingly, as shown in the screenshot below:

Don't forget to hit Apply button to save the settings!

Then, open /etc/systemd/resolved.conf file by sudo nano /etc/systemd/resolved.conf. Then, in the file:

[Resolve]
DNSOverTLS=yes

DNSOverTLS can be yes if you want a kill switch (you won't be able to connect to the internet by default, unless you set up DNS resolver address that supports DNS encryption), or opportunistic to connect to everything first, then set it later.

For more options on Quad9 address, see here.

3. Make a necessary symlink.

In order to make use of systemd-resolved that we configured in the previous step, we'll have to make /etc/resolv.conf a symlink to /run/systemd/resolve/stub-resolv.conf. We can make this symlink by:

sudo ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

• ln command is used to create links between files.
• -sf It's the combination of option -s for --symbolic and option -f for --force. We use this option to force make a symlink.

4. Restart the network to enable systemd-resolved, and finally enable DNS over TLS.

This is the last step! Before we can see our changes, we will need to restart both systemd-resolved and NetworkManager services by:

sudo systemctl restart systemd-resolved.service && sudo service NetworkManager restart

After all the steps above, now we should have our DNS over TLS enabled. We can check this by running in the terminal (see here):

dig +short txt proto.on.quad9.net.

If the response is dot., then it is working! And we can check whether we've configured Quad9 properly on Quad9 test page here.

Another page I would recommend for checking your DNS security is dnscheck.tools.

Note: DNSSEC feature in systemd-resolved is an experimental feature, but it hasn't been ducumented as such for some reasons, see systemd's PR #28386. Basically, no one should use this feature in their production and expect the feature to work correctly. That's why I don't enable DNSSEC in this walkthrough. Also, DNSSEC is implemented and enabled on Quad9's resolver by default. So, there's no need to enable it in your system.

I think this is it for today. I hope this helps, bye 💨

Cover Photo by Patrick Turner on Unsplash

Robot Photo by Arseny Togulev on Unsplash