DNS over TLS with systemd-resolved












0















Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved







share|improve this question























  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26
















0















Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved







share|improve this question























  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26














0












0








0








Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved







share|improve this question














Folks,



I was trying to enable DNS over TLS via systemd-resolved. I changed /etc/systemd/resolved.conf as follows:



[Resolve]

DNS=1.1.1.1

#FallbackDNS=

Domains=~.

#LLMNR=no

#MulticastDNS=no

#DNSSEC=no

DNSOverTLS=opportunistic

#Cache=yes

#DNSStubListener=yes


while monitoring the network (with tcpdump) to see if the resulting behavior was the intended one, it seems a TLS session is established with the target server, but then the server closes the connection. I got the same results with 1.1.1.1, 8.8.8.8 and others.



Any clues?



P.S.: systemd-resolved ends up doing parallel resolution with traditional DNS (despite the setting of "Domains" above). But my main question for this post is what may be going wrong with the TLS one.



Thanks,
Fernando






networking dns systemd-resolved




networking dns systemd-resolved






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 10:02









Fernando GontFernando Gont

11




11













  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26



















  • What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

    – Aeyoun
    Jan 17 at 5:38













  • @Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

    – opinion_no9
    Jan 21 at 10:26

















What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

– Aeyoun
Jan 17 at 5:38







What resolvectl say? Are you actually using systemd-resolved? Flip your DNSOverTLS setting to yes. You should also flip DNSSEC validation to yes. Few DNS over TLS implementation support reusing connections and will open one connection per request.

– Aeyoun
Jan 17 at 5:38















@Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

– opinion_no9
Jan 21 at 10:26





@Aeyoun Yes, right thing, wrong order: First Fernando needs to get it working, then improve. HINT: DNSSEC works if you enable DNS-over-TLS the way described below. But it slows down significantly. Step by step getting closer to DNS-over-TLS in Ubuntu 18.04 ....

– opinion_no9
Jan 21 at 10:26










1 Answer
1






active

oldest

votes


















1














DNS-over-TLS in Ubuntu 18.04



based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
No more manual config in the traditional ways ;-(
Documentation is .... sparse.



snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



For Info about Netplan look here:
https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



What DNS-over-TLS was working successful (works4me):



1)
In /etc/systemd/resolved.conf
ONLY change the DNSOverTLS= into 



DNSOverTLS=opportunistic


There is NO other option (see explanation here
https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



2)
use a capable DNS Server.
I prefer Digitalcourage servers



46.182.19.48 resp. 2a02:2970:1002::18



Why? Privacy!!



2a) this should be done in Network-Manager via GUI!



Enter the DNS server address in the GUI field for your connection under
IPv4 Settings / DNS Servers
and v6 respectively.



The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



This is new Ubuntu .... no longer suitable for hobby-admins.



2b) Not recommended but possible alternative



setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



Problem: Gets overwritten by Network-Manager in Ubuntu!



Remedy: As true root (!) chattr the file /etc/resolv.conf 



chattr +i /etc/resolv.conf


This is brute force and may disable automatic DNS caching via resolved.



Courtesy the brilliant boys at Arch:
https://wiki.archlinux.org/index.php/Domain_name_resolution



However, works fine ;-) but needs manual maintenance as true root!



Tipp:



You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


I do not like this way but is inherently working proper.



.



Then reboot. Or restart network.



.



#
How to check



3) some basic checks



check
the DNS actually used by systemd-resolved: 



resolvectl status


check
if DNS resolves with resolvectl: 



resolvectl query archlinux.org


(try some examples)



check
what DNS is actually used, check for leaks in VPN:



https://dnsleaktest.com/



.
4)
Start Wireshark and filter for "port 53" and make web traffic.



This should not show connects on port 53 any longer.
Then filter for port 853. Here should a lot go on.



Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



Wireshark examples here:
https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



#
Remark:
I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
There is one manual to do it successful:
https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



Important:



This solution improves privacy a lot.



BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
A sad greeting to all political prisoners around the world.






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1092498%2fdns-over-tls-with-systemd-resolved%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    DNS-over-TLS in Ubuntu 18.04



    based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



    Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
    No more manual config in the traditional ways ;-(
    Documentation is .... sparse.



    snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



    For Info about Netplan look here:
    https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



    What DNS-over-TLS was working successful (works4me):



    1)
    In /etc/systemd/resolved.conf
    ONLY change the DNSOverTLS= into 



    DNSOverTLS=opportunistic


    There is NO other option (see explanation here
    https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



    2)
    use a capable DNS Server.
    I prefer Digitalcourage servers



    46.182.19.48 resp. 2a02:2970:1002::18



    Why? Privacy!!



    2a) this should be done in Network-Manager via GUI!



    Enter the DNS server address in the GUI field for your connection under
    IPv4 Settings / DNS Servers
    and v6 respectively.



    The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



    This is new Ubuntu .... no longer suitable for hobby-admins.



    2b) Not recommended but possible alternative



    setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



    Problem: Gets overwritten by Network-Manager in Ubuntu!



    Remedy: As true root (!) chattr the file /etc/resolv.conf 



    chattr +i /etc/resolv.conf


    This is brute force and may disable automatic DNS caching via resolved.



    Courtesy the brilliant boys at Arch:
    https://wiki.archlinux.org/index.php/Domain_name_resolution



    However, works fine ;-) but needs manual maintenance as true root!



    Tipp:



    You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



    sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


    I do not like this way but is inherently working proper.



    .



    Then reboot. Or restart network.



    .



    #
    How to check



    3) some basic checks



    check
    the DNS actually used by systemd-resolved: 



    resolvectl status


    check
    if DNS resolves with resolvectl: 



    resolvectl query archlinux.org


    (try some examples)



    check
    what DNS is actually used, check for leaks in VPN:



    https://dnsleaktest.com/



    .
    4)
    Start Wireshark and filter for "port 53" and make web traffic.



    This should not show connects on port 53 any longer.
    Then filter for port 853. Here should a lot go on.



    Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



    Wireshark examples here:
    https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



    #
    Remark:
    I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
    There is one manual to do it successful:
    https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
    Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



    Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



    Important:



    This solution improves privacy a lot.



    BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
    A sad greeting to all political prisoners around the world.






    share|improve this answer






























      1














      DNS-over-TLS in Ubuntu 18.04



      based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



      Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
      No more manual config in the traditional ways ;-(
      Documentation is .... sparse.



      snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



      For Info about Netplan look here:
      https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



      What DNS-over-TLS was working successful (works4me):



      1)
      In /etc/systemd/resolved.conf
      ONLY change the DNSOverTLS= into 



      DNSOverTLS=opportunistic


      There is NO other option (see explanation here
      https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



      2)
      use a capable DNS Server.
      I prefer Digitalcourage servers



      46.182.19.48 resp. 2a02:2970:1002::18



      Why? Privacy!!



      2a) this should be done in Network-Manager via GUI!



      Enter the DNS server address in the GUI field for your connection under
      IPv4 Settings / DNS Servers
      and v6 respectively.



      The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



      This is new Ubuntu .... no longer suitable for hobby-admins.



      2b) Not recommended but possible alternative



      setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



      Problem: Gets overwritten by Network-Manager in Ubuntu!



      Remedy: As true root (!) chattr the file /etc/resolv.conf 



      chattr +i /etc/resolv.conf


      This is brute force and may disable automatic DNS caching via resolved.



      Courtesy the brilliant boys at Arch:
      https://wiki.archlinux.org/index.php/Domain_name_resolution



      However, works fine ;-) but needs manual maintenance as true root!



      Tipp:



      You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



      sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


      I do not like this way but is inherently working proper.



      .



      Then reboot. Or restart network.



      .



      #
      How to check



      3) some basic checks



      check
      the DNS actually used by systemd-resolved: 



      resolvectl status


      check
      if DNS resolves with resolvectl: 



      resolvectl query archlinux.org


      (try some examples)



      check
      what DNS is actually used, check for leaks in VPN:



      https://dnsleaktest.com/



      .
      4)
      Start Wireshark and filter for "port 53" and make web traffic.



      This should not show connects on port 53 any longer.
      Then filter for port 853. Here should a lot go on.



      Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



      Wireshark examples here:
      https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



      #
      Remark:
      I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
      There is one manual to do it successful:
      https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
      Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



      Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



      Important:



      This solution improves privacy a lot.



      BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
      A sad greeting to all political prisoners around the world.






      share|improve this answer




























        1












        1








        1







        DNS-over-TLS in Ubuntu 18.04



        based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



        Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
        No more manual config in the traditional ways ;-(
        Documentation is .... sparse.



        snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



        For Info about Netplan look here:
        https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



        What DNS-over-TLS was working successful (works4me):



        1)
        In /etc/systemd/resolved.conf
        ONLY change the DNSOverTLS= into 



        DNSOverTLS=opportunistic


        There is NO other option (see explanation here
        https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



        2)
        use a capable DNS Server.
        I prefer Digitalcourage servers



        46.182.19.48 resp. 2a02:2970:1002::18



        Why? Privacy!!



        2a) this should be done in Network-Manager via GUI!



        Enter the DNS server address in the GUI field for your connection under
        IPv4 Settings / DNS Servers
        and v6 respectively.



        The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



        This is new Ubuntu .... no longer suitable for hobby-admins.



        2b) Not recommended but possible alternative



        setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



        Problem: Gets overwritten by Network-Manager in Ubuntu!



        Remedy: As true root (!) chattr the file /etc/resolv.conf 



        chattr +i /etc/resolv.conf


        This is brute force and may disable automatic DNS caching via resolved.



        Courtesy the brilliant boys at Arch:
        https://wiki.archlinux.org/index.php/Domain_name_resolution



        However, works fine ;-) but needs manual maintenance as true root!



        Tipp:



        You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



        sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


        I do not like this way but is inherently working proper.



        .



        Then reboot. Or restart network.



        .



        #
        How to check



        3) some basic checks



        check
        the DNS actually used by systemd-resolved: 



        resolvectl status


        check
        if DNS resolves with resolvectl: 



        resolvectl query archlinux.org


        (try some examples)



        check
        what DNS is actually used, check for leaks in VPN:



        https://dnsleaktest.com/



        .
        4)
        Start Wireshark and filter for "port 53" and make web traffic.



        This should not show connects on port 53 any longer.
        Then filter for port 853. Here should a lot go on.



        Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



        Wireshark examples here:
        https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



        #
        Remark:
        I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
        There is one manual to do it successful:
        https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
        Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



        Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



        Important:



        This solution improves privacy a lot.



        BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
        A sad greeting to all political prisoners around the world.






        share|improve this answer















        DNS-over-TLS in Ubuntu 18.04



        based on my experience it will not work the way mentioned above on Ubuntu 18.04+ (i.e. U19).



        Since Ubuntu 18+ uses Netplan in parallel with NetworkManager things have changed drastically:
        No more manual config in the traditional ways ;-(
        Documentation is .... sparse.



        snap may bring further changes. It establishes additional resolved.conf files. However, the following actually worked (/w good performance).



        For Info about Netplan look here:
        https://www.techrepublic.com/article/how-to-set-dns-nameservers-in-ubuntu-server-18-04/



        What DNS-over-TLS was working successful (works4me):



        1)
        In /etc/systemd/resolved.conf
        ONLY change the DNSOverTLS= into 



        DNSOverTLS=opportunistic


        There is NO other option (see explanation here
        https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS



        2)
        use a capable DNS Server.
        I prefer Digitalcourage servers



        46.182.19.48 resp. 2a02:2970:1002::18



        Why? Privacy!!



        2a) this should be done in Network-Manager via GUI!



        Enter the DNS server address in the GUI field for your connection under
        IPv4 Settings / DNS Servers
        and v6 respectively.



        The entries will NOT show up in /etc/resolv.conf !! Which is correct. Instead you will see nameserver 127.0.0.53



        This is new Ubuntu .... no longer suitable for hobby-admins.



        2b) Not recommended but possible alternative



        setting appropriate DNS Servers can be done directly in /etc/resolv.conf in the usual format, remove the 127.0.0.53 or something else.



        Problem: Gets overwritten by Network-Manager in Ubuntu!



        Remedy: As true root (!) chattr the file /etc/resolv.conf 



        chattr +i /etc/resolv.conf


        This is brute force and may disable automatic DNS caching via resolved.



        Courtesy the brilliant boys at Arch:
        https://wiki.archlinux.org/index.php/Domain_name_resolution



        However, works fine ;-) but needs manual maintenance as true root!



        Tipp:



        You are well advised to make resolv.conf a link. This is required by resolved to work properly. As sudo-root move away the old file then



        sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf


        I do not like this way but is inherently working proper.



        .



        Then reboot. Or restart network.



        .



        #
        How to check



        3) some basic checks



        check
        the DNS actually used by systemd-resolved: 



        resolvectl status


        check
        if DNS resolves with resolvectl: 



        resolvectl query archlinux.org


        (try some examples)



        check
        what DNS is actually used, check for leaks in VPN:



        https://dnsleaktest.com/



        .
        4)
        Start Wireshark and filter for "port 53" and make web traffic.



        This should not show connects on port 53 any longer.
        Then filter for port 853. Here should a lot go on.



        Important: If all traffic uses port 853 and no traffic uses 53 you did it successfully!!!



        Wireshark examples here:
        https://www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls



        #
        Remark:
        I tried stubby. stubby does not integrate well in Ubuntu but you can get it working even with NetworkManager.
        There is one manual to do it successful:
        https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
        Problem: performance was a pain in the arse. Something is weired and I didnot find out the cause.



        Enabling DNSSEC=yes in /etc/systemd/resolved.conf should be possible now.



        Important:



        This solution improves privacy a lot.



        BUT is NOT sufficient if your personal integrity depends on data privacy and security!! See caveats in resolvd description. It is NOT sufficient to have opportunistic mode. Then better watch out for Tails Linux.
        A sad greeting to all political prisoners around the world.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 21 at 12:39

























        answered Jan 21 at 9:28









        opinion_no9opinion_no9

        19919




        19919






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1092498%2fdns-over-tls-with-systemd-resolved%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to make a Squid Proxy server?

            Image
            1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
            Read more

            Is this a new Fibonacci Identity?

            Image
            6 1 $begingroup$ I have found the following Fibonacci Identity (and proved it). If $F_n$ denotes the nth Fibonacci Number, we have the following identity begin{equation} F_{n-r+h}F_{n+k+g+1} - F_{n-r+g}F_{n+k+h+1} = (-1)^{n+r+h+1} F_{g-h}F_{k+r+1} end{equation} where $F_1 = F_2 = 1$ , $r leq n$ , $h leq g$ , and $n, g, k in mathbb{N}$ . It is not too hard to show that this identity subsumes Cassini's Identity, Catalan's Identity, Vajda's Idenity, and d'Ocagne's identity to name a few. I have done a pretty thorough literature review, and I have not found anything like this, but I am still wondering if anyone has seen this identity before? I found this by accident after noticing some patterns in some analysis work I was doing, so if this is already known I would be curious to see w
            Read more

            19世紀

            Image
            この記事は検証可能な参考文献や出典が全く示されていないか、不十分です。 出典を追加して記事の信頼性向上にご協力ください。 ( 2012年3月 ) 千年紀: 2千年紀 世紀: 18世紀 - 19世紀 - 20世紀 十年紀: 1800年代 1810年代 1820年代 1830年代 1840年代 1850年代 1860年代 1870年代 1880年代 1890年代 19世紀に君臨した大英帝国。 19世紀 (じゅうきゅうせいき)は、西暦1801年から西暦1900年までの100年間を指す世紀。 目次 1 19世紀の歴史 1.1 国民国家の成立 1.2 帝国主義の興隆 1.3 列強の植民地争奪戦 2 できごと 2.1 1800年代 2.2 1810年代 2.3 1820年代 2.4 1830年代 2.5 1840年代 2.6 1850年代 2.7 1860年代 2.8 1870年代 2.9 1880年代 2.10 1890年代 2.11 1900年代 3 文化 3.1 文学 3.2 音楽 3.3 思想 3.4 科学 3.5 技術 4 人物 4.1 ヨーロッパ 4.1.1 政治家・王族 4.1.1.1 フランス 4.1.1.2 オーストリア=ハンガリー 4.1.1.3 ロシア 4.1.1.4 イギリス 4.1.1.5 ドイツ(プロイセンほかドイツ領邦を含む) 4.1.1.6 北欧 4.1.1.7 イタリア 4.1.1.8 スペイン 4.1.1.9 ベルギー 4.1.1.10 ギリシア 4.1.2 軍人 4.1.3 実業家 4.1.4 科学と技術 4.1.5 思想と哲学・人文諸学 4.1.6 宗教 4.1.7 文学 4.1.8 美術 4.1.9 音楽 4.1.10 社会事業家 4.1.11 探検家・旅行家 4.1.12 料
            Read more