Back to Knowledge Base

Quick Reference

Configuration Endpoints

Use these addresses across all methods below.

🔒 DNS over HTTPS

https://dns.unrulycitizen.com/dns-query

🛡 DNS over TLS

dns.unrulycitizen.com Port: 853

§ I

systemd-resolved

The recommended approach for any modern Linux distribution running systemd 239 or later.

Method 1 — systemd-resolved Configuration

1
Check systemd-resolved Status

Verify the service is running and enabled before proceeding.

sudo systemctl status systemd-resolved sudo systemctl is-enabled systemd-resolved
2
Edit the Configuration File
sudo nano /etc/systemd/resolved.conf
3
Set Opportunistic DoT

This mode tries TLS first and falls back to unencrypted only if the server doesn't support it.

[Resolve] DNS=140.82.41.243 FallbackDNS=1.1.1.1 8.8.8.8 DNSSEC=allow-downgrade DNSOverTLS=opportunistic Domains=~.
4
For Strict DoT (No Fallback)

Use this for a zero-tolerance encrypted-only configuration. Queries fail rather than fall back to plaintext.

[Resolve] DNS=140.82.41.243#dns.unrulycitizen.com DNSSEC=yes DNSOverTLS=yes
5
Restart and Link resolv.conf
sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

§ II

Command Line

Use resolvectl for per-interface configuration without editing files directly.

Method 2 — resolvectl

Replace eth0 and wlan0 with your actual interface names (check with ip link).

# Set DNS per interface sudo resolvectl dns eth0 140.82.41.243 sudo resolvectl dns wlan0 140.82.41.243 # Enable opportunistic DoT sudo resolvectl dnsovertls eth0 opportunistic sudo resolvectl domain eth0 "~." # Or enforce strict DoT with hostname pinning sudo resolvectl dnsovertls eth0 yes sudo resolvectl dns eth0 140.82.41.243#dns.unrulycitizen.com # Confirm settings are applied resolvectl status

§ III

NetworkManager

For desktop distributions where NetworkManager manages connections.

Method 3 — nmcli

Ubuntu / Debian

Replace "Wired connection 1" with your connection name from nmcli con show.

sudo nmcli con mod "Wired connection 1" ipv4.dns "140.82.41.243" sudo nmcli con mod "Wired connection 1" ipv4.ignore-auto-dns yes sudo nmcli con mod "Wired connection 1" ipv4.dns-search "~." # Apply sudo nmcli con down "Wired connection 1" sudo nmcli con up "Wired connection 1"
Fedora / RHEL

This targets your currently active connection automatically.

CONN=$(nmcli -t -f NAME con show --active | head -1) sudo nmcli con mod "$CONN" ipv4.dns "140.82.41.243" sudo nmcli con mod "$CONN" ipv4.ignore-auto-dns yes sudo nmcli con mod "$CONN" ipv4.dns-search "~." sudo nmcli con down "$CONN" sudo nmcli con up "$CONN"

§ IV

Auto-Setup Scripts

Copy, save, and run the script for your distribution — it handles everything end to end.

Ubuntu / Debian

#!/bin/bash sudo apt update && sudo apt install systemd-resolved -y sudo tee /etc/systemd/resolved.conf << EOF [Resolve] DNS=140.82.41.243 FallbackDNS=1.1.1.1 8.8.8.8 DNSSEC=allow-downgrade DNSOverTLS=opportunistic Domains=~. EOF sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf echo "DoT configuration complete!"

Fedora / RHEL

#!/bin/bash sudo dnf install systemd-resolved -y sudo tee /etc/systemd/resolved.conf << EOF [Resolve] DNS=140.82.41.243#dns.unrulycitizen.com DNSSEC=yes DNSOverTLS=yes Domains=~. EOF sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf echo "DoT configuration complete!"

Arch Linux

#!/bin/bash sudo pacman -S systemd-resolved --noconfirm sudo tee /etc/systemd/resolved.conf << EOF [Resolve] DNS=140.82.41.243#dns.unrulycitizen.com DNSSEC=yes DNSOverTLS=yes Cache=yes DNSStubListener=yes EOF sudo systemctl restart systemd-resolved sudo systemctl enable systemd-resolved sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf echo "DoT configuration complete!"

§ V

Alternative Daemons

For older distributions or if you prefer not to use systemd-resolved.

Stubby — DNS Privacy Daemon

# Install stubby sudo apt install stubby # Ubuntu/Debian sudo dnf install stubby # Fedora/RHEL sudo pacman -S stubby # Arch Linux # Edit configuration sudo nano /etc/stubby/stubby.yml # Add under upstream_recursors: upstream_recursors: - address_data: 140.82.41.243 tls_auth_name: "dns.unrulycitizen.com" tls_port: 853 sudo systemctl restart stubby sudo systemctl enable stubby

dnscrypt-proxy

# Install dnscrypt-proxy sudo apt install dnscrypt-proxy # Ubuntu/Debian sudo dnf install dnscrypt-proxy # Fedora # Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml # Set your listen address and add a static server entry: [static] [static.'unruly-citizen'] stamp = 'sdns://AgcAAAAAAAA...' # generate via https://dnscrypt.info/stamps sudo systemctl restart dnscrypt-proxy sudo systemctl enable dnscrypt-proxy

Confirm It's Working

Verification

Run these commands to confirm DoT is active and no plaintext queries are leaking.

Check DNS Configuration

# Full resolver status resolvectl status # Statistics and cache info systemd-resolve --statistics # Confirm resolv.conf points to stub cat /etc/resolv.conf # Basic resolution test dig unrulycitizen.com nslookup unrulycitizen.com # Watch live resolver logs journalctl -u systemd-resolved -f

Test DoT Directly with kdig

# Install kdig sudo apt install knot-dnsutils # Ubuntu/Debian sudo dnf install knot-utils # Fedora/RHEL sudo pacman -S knot # Arch Linux # Test encrypted TLS tunnel kdig @dns.unrulycitizen.com +tls-ca \ +tls-host=dns.unrulycitizen.com google.com # Confirm TLS handshake on port 853 openssl s_client -connect dns.unrulycitizen.com:853 # Monitor DNS traffic (should only see port 853, not 53) sudo tcpdump -i any port 853

Common Issues

Troubleshooting

If something isn't working, check these first.

DoT Not Working?

  • Check service is running: sudo systemctl status systemd-resolved
  • Open port 853 outbound: sudo ufw allow out 853
  • Verify DNS IP address is correct in resolved.conf
  • Check for conflicting services: dnsmasq, bind, unbound
  • Confirm resolv.conf symlink: ls -la /etc/resolv.conf
  • Restart service: sudo systemctl restart systemd-resolved

Common Linux Issues

  • Old systemd: update to systemd 239+ for full DoT support
  • Firewall blocking: port 853 must be allowed outbound
  • NM conflicts: disable dnsmasq plugin in NetworkManager.conf
  • Corporate networks: port 853 may be blocked — use DoH instead
  • Flush cache: sudo systemd-resolve --flush-caches

Distribution Support

Compatibility

Choose the right method for your distribution.

Ubuntu 18.04+

Full systemd-resolved support. Recommended for all Ubuntu versions.

Debian 10+

Native systemd-resolved. Buster and later fully supported.

Fedora 29+

Excellent systemd integration across all modern releases.

Arch Linux

Latest systemd features via rolling release — always current.

RHEL / CentOS 8+

Available via EPEL. Requires additional setup steps.

Older Distros

Use Stubby or dnscrypt-proxy as a drop-in alternative.

Need More Help?

Reach out or explore other platform guides in the Knowledge Base.

Contact Us → ← Back to Knowledge Base