From afecebc9521775a3bf2cdd055035d3d0a3377554 Mon Sep 17 00:00:00 2001 From: subh Date: Wed, 15 Apr 2026 18:32:58 +0530 Subject: revamp --- stuff/mullvad-dot.html | 257 +++++++++++++++++++++++++++++-------------------- 1 file changed, 150 insertions(+), 107 deletions(-) (limited to 'stuff/mullvad-dot.html') diff --git a/stuff/mullvad-dot.html b/stuff/mullvad-dot.html index faea8f7..ab54d3e 100644 --- a/stuff/mullvad-dot.html +++ b/stuff/mullvad-dot.html @@ -3,156 +3,199 @@ - subh.space + DoT with Mullvad - subh.space -

DNS over TLS (DoT) with mullvad

+
+ home + git + github + notes + hackthebox +
+ +
+

DNS over TLS (DoT) with Mullvad

+ +

This guide assumes that you're running a systemd-based operating system.

-

This guide assumes that you're running a systemd-based operating system

+

1. Configure systemd-resolved

+

Add the following block to your /etc/systemd/resolved.conf:

-

1. Configure systemd-resolved to use mullvad's DNS server

-

Add the following block to your /etc/systemd/resolved.conf

-
[Resolve]
+        
[Resolve]
 DNS=194.242.2.4#base.dns.mullvad.net
 FallbackDNS=194.242.2.2#dns.mullvad.net
 DNSOverTLS=yes
 DNSSEC=yes
-Domains=~.
-

-
Once the changes are saved, restart systemd-resolved

-
sudo systemctl restart systemd-resolved
-

-
-
2. Make systemd-resolve take precedence over resolve.conf

-
To make sure your system uses systemd-resolved over resolv.conf, you need to create a symlink as follows:

-
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-

-
-
3. Make sure DNS is working as intended

-
Make sure you're able to resolve domain names as follows:

-
resolvectl query google.com
-

-
If you see output, you're golden!

-
-
4. An Edge Cases:

-
If you're using a service such as tailscale which overrides your resolv.conf upon start with its own magicDNS server, it may break your DoT setup. To make sure, tailscale never overrides your resolv.conf, do the following

-
    
-    
  1. Re-create the symlink as it was likely broken when tailscale started
    2. 
-

-
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
-

-
    
-    
  1. Restart tailscaled and systemd-resolved
    2. 
-

-
sudo systemctl restart tailscaled
+Domains=~.

+
+        
Once the changes are saved, restart systemd-resolved:

+        
sudo systemctl restart systemd-resolved

+
+        
2. Symlink resolv.conf

+        
To make sure your system uses systemd-resolved over the traditional resolv.conf, create a symlink:

+        
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

+
+        
3. Verify DNS resolution

+        
Check if you are able to resolve domain names correctly:

+        
resolvectl query google.com

+        
If you see output, you're golden!

+
+        
4. Edge Cases: Tailscale

+        
If you're using a service such as Tailscale which overrides your resolv.conf with MagicDNS, it may break your DoT setup. To fix this:

+        
+        
    
+            
  1. Re-create the symlink: sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
    2. 
+            
  2. Restart the services:
    3. 
+        

+        
+        
sudo systemctl restart tailscaled
 sudo systemctl restart systemd-resolved
-sudo tailscale up --accept-dns=true
-

-
    
-    
  1. Check your resolve.conf
    2. 
-

-
If your resolve.conf looks as follows, you're all good!

-
nameserver 127.0.0.53
+sudo tailscale up --accept-dns=true

+
+        
If your resolve.conf looks like this, you're all good:

+        
nameserver 127.0.0.53
 options edns0 trust-ad
-search tailxxxxx.ts.net
-

-
-
5. Configure Browsers with DoT

-
If previously, you've been using DoH (DNS Over HTTPS) in your browser, and want to shift to your new DoT configuration, do the following

-
    
-    
  1. 
-        
    For firefox based browsers:
    
-        
      
-            
    • Navigate to settings -> Privacy and Security
      • 
-            
    • Scroll down to DNS over HTTPS
      • 
-            
    • Select Off
      • 
-        
    
-    
    2. 
-    
  2. 
-        
    For chromium based browsers:
    
-        
      
-            
    • Navigate to settings -> Privacy and Security
      • 
-            
    • Find Use Secure DNS
      • 
-            
    • Toggle it Off
      • 
-        
    
-    
    3. 
-

-
And just like that, you've configured DoT for your system!

+search tailxxxxx.ts.net
+ +

5. Configure Browsers

+

If you were previously using DoH (DNS Over HTTPS) and want to shift to system-wide DoT:

+ +
+ Firefox-based browsers: +

Settings -> Privacy and Security -> DNS over HTTPS -> Off

+
+ +
+ Chromium-based browsers: +

Settings -> Privacy and Security -> Use Secure DNS -> Off

+
+ +

And just like that, you've configured DoT for your system!

+
+ + -- cgit v1.2.3