DNS over TLS with systemd-resolved












0















Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved







share|improve this question























  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26
















0















Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved







share|improve this question























  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26














0












0








0








Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved







share|improve this question














Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved




networking dns systemd-resolved






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 10:02









Fernando GontFernando Gont

11




11













  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26



















  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26

















What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

– Aeyoun
Jan 17 at 5:38







What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

– Aeyoun
Jan 17 at 5:38















@Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

– opinion_no9
Jan 21 at 10:26





@Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

– opinion_no9
Jan 21 at 10:26










1 Answer
1






active

oldest

votes


















1














DNS-over-TLS in Ubuntu 18.04



based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
No more manual config in the traditional ways ;-(
Documentation is .... sparse.



snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



For Info about Netplan look here:
https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



What DNS-over-TLS was working successful (works4me):



1)
In /etc/systemd/resolved.conf
ONLY change the DNSOverTLS= into 



DNSOverTLS=opportunistic


There is NO other option (see explanation here
https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



2)
use a capable DNS Server.
I prefer Digitalcourage servers



46.182.19.48 resp. 2a02:2970:1002::18



Why? Privacy!!



2a) this should be done in Network-Manager via GUI!



Enter the DNS server address in the GUI field for your connection under
IPv4 Settings / DNS Servers
and v6 respectively.



The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



This is new Ubuntu .... no longer suitable for hobby-admins.



2b) Not recommended but possible alternative



setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



Problem: Gets overwritten by Network-Manager in Ubuntu!



Remedy: As true root (!) chattr the file /etc/resolv.conf 



chattr +i /etc/resolv.conf


This is brute force and may disable automatic DNS caching via resolved.



Courtesy the brilliant boys at Arch:
https://wiki.archlinux.org/index.php/Domain_name_resolution



However, works fine ;-) but needs manual maintenance as true root!



Tipp:



You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


I do not like this way but is inherently working proper.



.



Then reboot. Or restart network.



.



#
How to check



3) some basic checks



check
the DNS actually used by systemd-resolved: 



resolvectl status


check
if DNS resolves with resolvectl: 



resolvectl query archlinux.org


(try some examples)



check
what DNS is actually used, check for leaks in VPN:



https://dnsleaktest.com/



.
4)
Start Wireshark and filter for "port 53" and make web traffic.



This should not show connects on port 53 any longer.
Then filter for port 853. Here should a lot go on.



Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



Wireshark examples here:
https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



#
Remark:
I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
There is one manual to do it successful:
https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



Important:



This solution improves privacy a lot.



BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
A sad greeting to all political prisoners around the world.






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1092498%2fdns-over-tls-with-systemd-resolved%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    DNS-over-TLS in Ubuntu 18.04



    based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



    Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
    No more manual config in the traditional ways ;-(
    Documentation is .... sparse.



    snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



    For Info about Netplan look here:
    https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



    What DNS-over-TLS was working successful (works4me):



    1)
    In /etc/systemd/resolved.conf
    ONLY change the DNSOverTLS= into 



    DNSOverTLS=opportunistic


    There is NO other option (see explanation here
    https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



    2)
    use a capable DNS Server.
    I prefer Digitalcourage servers



    46.182.19.48 resp. 2a02:2970:1002::18



    Why? Privacy!!



    2a) this should be done in Network-Manager via GUI!



    Enter the DNS server address in the GUI field for your connection under
    IPv4 Settings / DNS Servers
    and v6 respectively.



    The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



    This is new Ubuntu .... no longer suitable for hobby-admins.



    2b) Not recommended but possible alternative



    setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



    Problem: Gets overwritten by Network-Manager in Ubuntu!



    Remedy: As true root (!) chattr the file /etc/resolv.conf 



    chattr +i /etc/resolv.conf


    This is brute force and may disable automatic DNS caching via resolved.



    Courtesy the brilliant boys at Arch:
    https://wiki.archlinux.org/index.php/Domain_name_resolution



    However, works fine ;-) but needs manual maintenance as true root!



    Tipp:



    You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



    sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


    I do not like this way but is inherently working proper.



    .



    Then reboot. Or restart network.



    .



    #
    How to check



    3) some basic checks



    check
    the DNS actually used by systemd-resolved: 



    resolvectl status


    check
    if DNS resolves with resolvectl: 



    resolvectl query archlinux.org


    (try some examples)



    check
    what DNS is actually used, check for leaks in VPN:



    https://dnsleaktest.com/



    .
    4)
    Start Wireshark and filter for "port 53" and make web traffic.



    This should not show connects on port 53 any longer.
    Then filter for port 853. Here should a lot go on.



    Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



    Wireshark examples here:
    https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



    #
    Remark:
    I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
    There is one manual to do it successful:
    https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
    Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



    Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



    Important:



    This solution improves privacy a lot.



    BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
    A sad greeting to all political prisoners around the world.






    share|improve this answer






























      1














      DNS-over-TLS in Ubuntu 18.04



      based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



      Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
      No more manual config in the traditional ways ;-(
      Documentation is .... sparse.



      snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



      For Info about Netplan look here:
      https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



      What DNS-over-TLS was working successful (works4me):



      1)
      In /etc/systemd/resolved.conf
      ONLY change the DNSOverTLS= into 



      DNSOverTLS=opportunistic


      There is NO other option (see explanation here
      https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



      2)
      use a capable DNS Server.
      I prefer Digitalcourage servers



      46.182.19.48 resp. 2a02:2970:1002::18



      Why? Privacy!!



      2a) this should be done in Network-Manager via GUI!



      Enter the DNS server address in the GUI field for your connection under
      IPv4 Settings / DNS Servers
      and v6 respectively.



      The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



      This is new Ubuntu .... no longer suitable for hobby-admins.



      2b) Not recommended but possible alternative



      setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



      Problem: Gets overwritten by Network-Manager in Ubuntu!



      Remedy: As true root (!) chattr the file /etc/resolv.conf 



      chattr +i /etc/resolv.conf


      This is brute force and may disable automatic DNS caching via resolved.



      Courtesy the brilliant boys at Arch:
      https://wiki.archlinux.org/index.php/Domain_name_resolution



      However, works fine ;-) but needs manual maintenance as true root!



      Tipp:



      You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



      sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


      I do not like this way but is inherently working proper.



      .



      Then reboot. Or restart network.



      .



      #
      How to check



      3) some basic checks



      check
      the DNS actually used by systemd-resolved: 



      resolvectl status


      check
      if DNS resolves with resolvectl: 



      resolvectl query archlinux.org


      (try some examples)



      check
      what DNS is actually used, check for leaks in VPN:



      https://dnsleaktest.com/



      .
      4)
      Start Wireshark and filter for "port 53" and make web traffic.



      This should not show connects on port 53 any longer.
      Then filter for port 853. Here should a lot go on.



      Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



      Wireshark examples here:
      https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



      #
      Remark:
      I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
      There is one manual to do it successful:
      https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
      Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



      Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



      Important:



      This solution improves privacy a lot.



      BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
      A sad greeting to all political prisoners around the world.






      share|improve this answer




























        1












        1








        1







        DNS-over-TLS in Ubuntu 18.04



        based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



        Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
        No more manual config in the traditional ways ;-(
        Documentation is .... sparse.



        snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



        For Info about Netplan look here:
        https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



        What DNS-over-TLS was working successful (works4me):



        1)
        In /etc/systemd/resolved.conf
        ONLY change the DNSOverTLS= into 



        DNSOverTLS=opportunistic


        There is NO other option (see explanation here
        https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



        2)
        use a capable DNS Server.
        I prefer Digitalcourage servers



        46.182.19.48 resp. 2a02:2970:1002::18



        Why? Privacy!!



        2a) this should be done in Network-Manager via GUI!



        Enter the DNS server address in the GUI field for your connection under
        IPv4 Settings / DNS Servers
        and v6 respectively.



        The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



        This is new Ubuntu .... no longer suitable for hobby-admins.



        2b) Not recommended but possible alternative



        setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



        Problem: Gets overwritten by Network-Manager in Ubuntu!



        Remedy: As true root (!) chattr the file /etc/resolv.conf 



        chattr +i /etc/resolv.conf


        This is brute force and may disable automatic DNS caching via resolved.



        Courtesy the brilliant boys at Arch:
        https://wiki.archlinux.org/index.php/Domain_name_resolution



        However, works fine ;-) but needs manual maintenance as true root!



        Tipp:



        You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



        sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


        I do not like this way but is inherently working proper.



        .



        Then reboot. Or restart network.



        .



        #
        How to check



        3) some basic checks



        check
        the DNS actually used by systemd-resolved: 



        resolvectl status


        check
        if DNS resolves with resolvectl: 



        resolvectl query archlinux.org


        (try some examples)



        check
        what DNS is actually used, check for leaks in VPN:



        https://dnsleaktest.com/



        .
        4)
        Start Wireshark and filter for "port 53" and make web traffic.



        This should not show connects on port 53 any longer.
        Then filter for port 853. Here should a lot go on.



        Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



        Wireshark examples here:
        https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



        #
        Remark:
        I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
        There is one manual to do it successful:
        https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
        Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



        Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



        Important:



        This solution improves privacy a lot.



        BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
        A sad greeting to all political prisoners around the world.






        share|improve this answer















        DNS-over-TLS in Ubuntu 18.04



        based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



        Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
        No more manual config in the traditional ways ;-(
        Documentation is .... sparse.



        snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



        For Info about Netplan look here:
        https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



        What DNS-over-TLS was working successful (works4me):



        1)
        In /etc/systemd/resolved.conf
        ONLY change the DNSOverTLS= into 



        DNSOverTLS=opportunistic


        There is NO other option (see explanation here
        https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



        2)
        use a capable DNS Server.
        I prefer Digitalcourage servers



        46.182.19.48 resp. 2a02:2970:1002::18



        Why? Privacy!!



        2a) this should be done in Network-Manager via GUI!



        Enter the DNS server address in the GUI field for your connection under
        IPv4 Settings / DNS Servers
        and v6 respectively.



        The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



        This is new Ubuntu .... no longer suitable for hobby-admins.



        2b) Not recommended but possible alternative



        setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



        Problem: Gets overwritten by Network-Manager in Ubuntu!



        Remedy: As true root (!) chattr the file /etc/resolv.conf 



        chattr +i /etc/resolv.conf


        This is brute force and may disable automatic DNS caching via resolved.



        Courtesy the brilliant boys at Arch:
        https://wiki.archlinux.org/index.php/Domain_name_resolution



        However, works fine ;-) but needs manual maintenance as true root!



        Tipp:



        You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



        sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


        I do not like this way but is inherently working proper.



        .



        Then reboot. Or restart network.



        .



        #
        How to check



        3) some basic checks



        check
        the DNS actually used by systemd-resolved: 



        resolvectl status


        check
        if DNS resolves with resolvectl: 



        resolvectl query archlinux.org


        (try some examples)



        check
        what DNS is actually used, check for leaks in VPN:



        https://dnsleaktest.com/



        .
        4)
        Start Wireshark and filter for "port 53" and make web traffic.



        This should not show connects on port 53 any longer.
        Then filter for port 853. Here should a lot go on.



        Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



        Wireshark examples here:
        https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



        #
        Remark:
        I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
        There is one manual to do it successful:
        https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
        Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



        Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



        Important:



        This solution improves privacy a lot.



        BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
        A sad greeting to all political prisoners around the world.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 21 at 12:39

























        answered Jan 21 at 9:28









        opinion_no9opinion_no9

        19919




        19919






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1092498%2fdns-over-tls-with-systemd-resolved%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

            Image
            0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
            Read more

            is 'sed' thread safe

            Image
            2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
            Read more

            How to make a Squid Proxy server?

            Image
            1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
            Read more