From 9b862352bddc68787869348aa58272aa0310a85d Mon Sep 17 00:00:00 2001 From: subh Date: Tue, 14 Apr 2026 03:31:17 +0530 Subject: changes --- stuff/cloudflare-dot.html | 159 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 stuff/cloudflare-dot.html (limited to 'stuff/cloudflare-dot.html') diff --git a/stuff/cloudflare-dot.html b/stuff/cloudflare-dot.html new file mode 100644 index 0000000..137a6d9 --- /dev/null +++ b/stuff/cloudflare-dot.html @@ -0,0 +1,159 @@ + + + + + + DNS over TLS Setup Guide + + + + +

DNS over TLS (DoT) with cloudflare

+ +

This guide assumes that you're running a systemd-based operating system

+ +

1. Configure systemd-resolved to use cloudflare's DNS server

+

Add the following block to your /etc/systemd/resolved.conf

+
[Resolve]
+DNS=1.1.1.3#family.cloudflare-dns.com 2606:4700:4700::1113#family.cloudflare-dns.com
+FallbackDNS=1.0.0.3#family.cloudflare-dns.com 2606:4700:4700::1003#family.cloudflare-dns.com
+DNSOverTLS=yes
+DNSSEC=yes
+Domains=~.
+
+

1.1.1.3 and 1.0.0.3 are part of cloudflare's family-friendly DNS servers which block malware and adult contents. You can also use the default 1.1.1.1 DNS server for DoT.

+

Once the changes are saved, restart systemd-resolved

+
sudo systemctl restart systemd-resolved
+
+ +

2. Make systemd-resolve take precedence over resolve.conf

+

To make sure your system uses systemd-resolved over resolv.conf, you need to create a symlink as follows:

+
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+ +

3. Make sure DNS is working as intended

+

Make sure you're able to resolve domain names as follows:

+
resolvectl query google.com
+
+

If you see output, you're golden!

+ +

4. An Edge Cases:

+

If you're using a service such as tailscale which overrides your resolv.conf upon start with its own magicDNS server, it may break your DoT setup. To make sure, tailscale never overrides your resolv.conf, do the following

+
    +
  1. Re-create the symlink as it was likely broken when tailscale started
    2. +
+
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+
    +
  1. Restart tailscaled and systemd-resolved
    2. +
+
sudo systemctl restart tailscaled
+sudo systemctl restart systemd-resolved
+sudo tailscale up --accept-dns=true
+
+
    +
  1. Check your resolve.conf
    2. +
+

If your resolve.conf looks as follows, you're all good!

+
nameserver 127.0.0.53
+options edns0 trust-ad
+search tailxxxxx.ts.net
+
+ +

5. Configure Browsers with DoT

+

If previously, you've been using DoH (DNS Over HTTPS) in your browser, and want to shift to your new DoT configuration, do the following

+
    +
  1. +

    For firefox based browsers:

    +
      +
    • Navigate to settings -> Privacy and Security
      • +
    • Scroll down to DNS over HTTPS
      • +
    • Select Off
      • +
    +
    2. +
  2. +

    For chromium based browsers:

    +
      +
    • Navigate to settings -> Privacy and Security
      • +
    • Find Use Secure DNS
      • +
    • Toggle it Off
      • +
    +
    3. +
+

And just like that, you've configured DoT for your system!

+ + + -- cgit v1.2.3