Linux DNS over TLS Configuration

Secure your DNS with systemd-resolved and encrypted TLS connections

Back to Knowledge Base

Quick Configuration Endpoints

DNS over HTTPS

https://xyz01-srv.unrulycitizen.com/dns-query

DNS over TLS

xyz01-srv.unrulycitizen.com

Linux DoT Configuration Methods

Method 1: systemd-resolved Configuration (Recommended)

1
Check systemd-resolved Status

Verify systemd-resolved is running and enabled:

sudo systemctl status systemd-resolved sudo systemctl is-enabled systemd-resolved
2
Configure systemd-resolved

Edit the systemd-resolved configuration file:

sudo nano /etc/systemd/resolved.conf
3
Set DNS over TLS Settings

Add or modify these lines in the configuration:

[Resolve] DNS=140.82.41.243 FallbackDNS=1.1.1.1 8.8.8.8 DNSSEC=allow-downgrade DNSOverTLS=opportunistic Domains=~.
4
For Strict DoT (No Fallback)

Use these settings for strict TLS-only mode:

[Resolve] DNS=140.82.41.243#xyz01-srv.unrulycitizen.com DNSSEC=yes DNSOverTLS=yes
5
Restart and Apply

Restart systemd-resolved and update resolv.conf:

sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Method 2: Command Line Configuration

Use systemd-resolve command for quick configuration:

# Set global DNS servers with DoT sudo systemd-resolve --set-dns=140.82.41.243 --interface=eth0 sudo systemd-resolve --set-dns=140.82.41.243 --interface=wlan0 # Configure DoT globally using resolvectl sudo resolvectl dns eth0 140.82.41.243 sudo resolvectl dnsovertls eth0 opportunistic sudo resolvectl domain eth0 "~." # For strict DoT mode sudo resolvectl dnsovertls eth0 yes sudo resolvectl dns eth0 140.82.41.243#xyz01-srv.unrulycitizen.com # Verify configuration resolvectl status

Replace "eth0" and "wlan0" with your actual interface names

Method 3: NetworkManager Integration

Configure DoT through NetworkManager for GUI-based systems:

Ubuntu/Debian with NetworkManager
# Install NetworkManager if not present sudo apt update && sudo apt install network-manager # Configure via nmcli sudo nmcli con mod "Wired connection 1" ipv4.dns "140.82.41.243" sudo nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns yes sudo nmcli con mod "Wired connection 1" ipv4.dns-search "~." sudo nmcli con mod "Wired connection 1" ipv4.dns-options "attempts:2,timeout:1" # Apply changes sudo nmcli con down "Wired connection 1" sudo nmcli con up "Wired connection 1"
Fedora/RHEL with NetworkManager
# Configure DNS settings sudo nmcli con mod $(nmcli -t -f NAME con show --active) ipv4.dns "140.82.41.243" sudo nmcli con mod $(nmcli -t -f NAME con show --active) ipv4.ignore-auto-dns yes sudo nmcli con mod $(nmcli -t -f NAME con show --active) ipv4.dns-search "~." # Restart network connection sudo nmcli con down $(nmcli -t -f NAME con show --active) sudo nmcli con up $(nmcli -t -f NAME con show --active)

Method 4: Distribution-Specific Scripts

Quick setup scripts for different Linux distributions:

Ubuntu/Debian Auto-Script
#!/bin/bash # Ubuntu/Debian DoT setup script sudo apt update sudo apt install systemd-resolved -y cat << EOF | sudo tee /etc/systemd/resolved.conf [Resolve] DNS=140.82.41.243 FallbackDNS=1.1.1.1 8.8.8.8 DNSSEC=allow-downgrade DNSOverTLS=opportunistic Domains=~. EOF sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf echo "DoT configuration complete!"
Fedora/RHEL Auto-Script
#!/bin/bash # Fedora/RHEL DoT setup script sudo dnf install systemd-resolved -y cat << EOF | sudo tee /etc/systemd/resolved.conf [Resolve] DNS=140.82.41.243#xyz01-srv.unrulycitizen.com DNSSEC=yes DNSOverTLS=yes Domains=~. EOF sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf echo "DoT configuration complete!"
Arch Linux Auto-Script
#!/bin/bash # Arch Linux DoT setup script sudo pacman -S systemd-resolved --noconfirm cat << EOF | sudo tee /etc/systemd/resolved.conf [Resolve] DNS=140.82.41.243#xyz01-srv.unrulycitizen.com DNSSEC=yes DNSOverTLS=yes Cache=yes DNSStubListener=yes EOF sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf echo "DoT configuration complete!"

Verification

To verify DoT is working on your Linux system:

Check DNS Configuration

# Check systemd-resolved status resolvectl status systemd-resolve --status # Verify DNS settings cat /etc/resolv.conf systemd-resolve --statistics # Test DNS resolution dig unrulycitizen.com nslookup unrulycitizen.com # Check DoT specifically journalctl -u systemd-resolved -f

Test DoT Connection

# Install kdig for advanced testing (Ubuntu/Debian) sudo apt install knot-dnsutils # Install kdig on Fedora/RHEL sudo dnf install knot-utils # Install kdig on Arch Linux sudo pacman -S knot # Test DoT directly with kdig kdig @xyz01-srv.unrulycitizen.com +tls-ca +tls-host=xyz01-srv.unrulycitizen.com google.com # Alternative test with openssl openssl s_client -connect xyz01-srv.unrulycitizen.com:853 # Monitor DNS queries sudo tcpdump -i any port 853

Troubleshooting

DoT not working?

  • Ensure systemd-resolved is running: sudo systemctl status systemd-resolved
  • Check if port 853 is open: sudo ufw allow 853 (Ubuntu)
  • Verify DNS server IP address is correct
  • Check for conflicting DNS services (dnsmasq, bind)
  • Ensure /etc/resolv.conf points to systemd-resolved
  • Restart systemd-resolved: sudo systemctl restart systemd-resolved

Common Linux Issues

  • Old systemd version: Update to systemd 239+ for full DoT support
  • Firewall blocking: Ensure port 853 (TLS) is not blocked
  • NetworkManager conflicts: Disable dnsmasq integration if present
  • Corporate networks: May block external DNS on port 853
  • DNS caching: Clear DNS cache: sudo systemd-resolve --flush-caches

Distribution Compatibility

Ubuntu 18.04+

Full systemd-resolved support. Recommended for all Ubuntu versions.

Debian 10+

Native systemd-resolved support. Buster and later.

Fedora 29+

Excellent systemd integration. All modern Fedora versions.

Arch Linux

Latest systemd features. Rolling release advantage.

RHEL/CentOS 8+

systemd-resolved available via EPEL. Requires additional setup.

Older Distributions

Consider using stubby or dnscrypt-proxy for DoT.

Alternative DoT Methods

Using Stubby (DNS Privacy Daemon)

# Install stubby sudo apt install stubby # Ubuntu/Debian sudo dnf install stubby # Fedora/RHEL sudo pacman -S stubby # Arch Linux # Configure stubby for Unruly Citizen sudo nano /etc/stubby/stubby.yml # Add to upstream_recursors: upstream_recursors: - address_data: 140.82.41.243 tls_auth_name: "xyz01-srv.unrulycitizen.com" tls_port: 853 # Restart stubby sudo systemctl restart stubby sudo systemctl enable stubby

Using dnscrypt-proxy

# Install dnscrypt-proxy sudo apt install dnscrypt-proxy # Ubuntu/Debian sudo dnf install dnscrypt-proxy # Fedora # Configure for DoT sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml # Add server and enable DoT: [sources] [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md'] minisign_key = '...' cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' refresh_delay = 72 # Add custom server: [static] [static.'unruly-citizen'] stamp = 'sdns://AAAAAAAAAAA...'

Need More Help?

Join our community forums for personalized assistance and support

Join Community Forums Back to Knowledge Base