diff options
| author | subh <subh@subh.space> | 2026-04-14 03:31:17 +0530 |
|---|---|---|
| committer | subh <subh@subh.space> | 2026-04-14 03:31:17 +0530 |
| commit | 9b862352bddc68787869348aa58272aa0310a85d (patch) | |
| tree | f5ee10a26e62ab4a9429453fbda251c4eebfd6c7 /stuff/cloudflare-dot.html | |
| parent | 0d14c12bd421b09406a801dc57b6ae657a206e3f (diff) | |
changes
Diffstat (limited to 'stuff/cloudflare-dot.html')
| -rw-r--r-- | stuff/cloudflare-dot.html | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/stuff/cloudflare-dot.html b/stuff/cloudflare-dot.html new file mode 100644 index 0000000..137a6d9 --- /dev/null +++ b/stuff/cloudflare-dot.html @@ -0,0 +1,159 @@ +<!DOCTYPE html> +<html lang="en"> +<head> + <meta charset="UTF-8"> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + <title>DNS over TLS Setup Guide</title> + <style> + :root { + --bg0: #282828; + --bg1: #3c3836; + --fg: #ebdbb2; + --gray: #928374; + --yellow: #fabd2f; + --green: #b8bb26; + --orange: #fe8019; + --aqua: #8ec07c; + } + + body { + font-family: 'Iosevka Nerd Font Propo', Iosevka; + line-height: 1.7; + color: var(--fg); + background-color: var(--bg0); + max-width: 780px; + margin: 40px auto; + padding: 0 20px; + -webkit-font-smoothing: antialiased; + } + + h1 { + font-size: 2.2em; + color: var(--yellow); + border-bottom: 2px solid var(--bg1); + padding-bottom: 15px; + margin-bottom: 30px; + } + + h2 { + font-size: 1.5em; + color: var(--aqua); + margin-top: 35px; + margin-bottom: 15px; + font-weight: 600; + } + + p { margin-bottom: 1.2em; } + + code { + font-family: 'Fira Code', 'JetBrains Mono', 'Courier New', monospace; + background-color: var(--bg1); + color: var(--orange); + padding: 3px 6px; + border-radius: 4px; + font-size: 0.9em; + } + + pre { + background-color: #1d2021; + padding: 20px; + border-radius: 8px; + overflow-x: auto; + border: 1px solid var(--bg1); + margin-bottom: 1.5em; + } + + pre code { + background-color: transparent; + padding: 0; + color: var(--fg); + color-scheme: dark; + } + + .language-toml { color: var(--fg); } + .toml-key { color: var(--green); } + + ol, ul { margin-bottom: 1.5em; padding-left: 25px; } + li { margin-bottom: 0.8em; } + li pre { margin-top: 10px; margin-bottom: 10px; } + + </style> +</head> +<body> + +<h1>DNS over TLS (DoT) with cloudflare</h1> + +<p>This guide assumes that you're running a systemd-based operating system</p> + +<h2>1. Configure systemd-resolved to use cloudflare's DNS server</h2> +<p>Add the following block to your <code>/etc/systemd/resolved.conf</code></p> +<pre><code class="language-toml"><span class="toml-key">[Resolve]</span> +DNS=1.1.1.3#family.cloudflare-dns.com 2606:4700:4700::1113#family.cloudflare-dns.com +FallbackDNS=1.0.0.3#family.cloudflare-dns.com 2606:4700:4700::1003#family.cloudflare-dns.com +DNSOverTLS=yes +DNSSEC=yes +Domains=~. +</code></pre> +<p><code>1.1.1.3</code> and <code>1.0.0.3</code> are part of cloudflare's family-friendly DNS servers which block malware and adult contents. You can also use the default <code>1.1.1.1</code> DNS server for DoT.</p> +<p>Once the changes are saved, restart <code>systemd-resolved</code></p> +<pre><code class="language-shell">sudo systemctl restart systemd-resolved +</code></pre> + +<h2>2. Make systemd-resolve take precedence over resolve.conf</h2> +<p>To make sure your system uses <code>systemd-resolved</code> over <code>resolv.conf</code>, you need to create a symlink as follows:</p> +<pre><code class="language-shell">sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +</code></pre> + +<h2>3. Make sure DNS is working as intended</h2> +<p>Make sure you're able to resolve domain names as follows:</p> +<pre><code class="language-shell">resolvectl query google.com +</code></pre> +<p>If you see output, you're golden!</p> + +<h2>4. An Edge Cases:</h2> +<p>If you're using a service such as tailscale which overrides your <code>resolv.conf</code> upon start with its own magicDNS server, it may break your DoT setup. To make sure, tailscale never overrides your <code>resolv.conf</code>, do the following</p> +<ol> + <li>Re-create the symlink as it was likely broken when tailscale started</li> +</ol> +<pre><code class="language-shell">sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +</code></pre> +<ol start="2"> + <li>Restart <code>tailscaled</code> and <code>systemd-resolved</code></li> +</ol> +<pre><code class="language-shell">sudo systemctl restart tailscaled +sudo systemctl restart systemd-resolved +sudo tailscale up --accept-dns=true +</code></pre> +<ol start="3"> + <li>Check your <code>resolve.conf</code></li> +</ol> +<p>If your <code>resolve.conf</code> looks as follows, you're all good!</p> +<pre><code class="language-shell">nameserver 127.0.0.53 +options edns0 trust-ad +search tailxxxxx.ts.net +</code></pre> + +<h2>5. Configure Browsers with DoT</h2> +<p>If previously, you've been using DoH (DNS Over HTTPS) in your browser, and want to shift to your new DoT configuration, do the following</p> +<ol> + <li> + <p>For firefox based browsers:</p> + <ul> + <li>Navigate to <code>settings</code> -> <code>Privacy and Security</code></li> + <li>Scroll down to <code>DNS over HTTPS</code></li> + <li>Select <code>Off</code></li> + </ul> + </li> + <li> + <p>For chromium based browsers:</p> + <ul> + <li>Navigate to <code>settings</code> -> <code>Privacy and Security</code></li> + <li>Find <code>Use Secure DNS</code></li> + <li>Toggle it Off</li> + </ul> + </li> +</ol> +<p>And just like that, you've configured DoT for your system!</p> + +</body> +</html> |