This guide assumes that you're running a systemd-based operating system
Add the following block to your /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.3#family.cloudflare-dns.com 2606:4700:4700::1113#family.cloudflare-dns.com
FallbackDNS=1.0.0.3#family.cloudflare-dns.com 2606:4700:4700::1003#family.cloudflare-dns.com
DNSOverTLS=yes
DNSSEC=yes
Domains=~.
1.1.1.3 and 1.0.0.3 are part of cloudflare's family-friendly DNS servers which block malware and adult contents. You can also use the default 1.1.1.1 DNS server for DoT.
Once the changes are saved, restart systemd-resolved
sudo systemctl restart systemd-resolved
To make sure your system uses systemd-resolved over resolv.conf, you need to create a symlink as follows:
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Make sure you're able to resolve domain names as follows:
resolvectl query google.com
If you see output, you're golden!
If you're using a service such as tailscale which overrides your resolv.conf upon start with its own magicDNS server, it may break your DoT setup. To make sure, tailscale never overrides your resolv.conf, do the following
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
tailscaled and systemd-resolvedsudo systemctl restart tailscaled
sudo systemctl restart systemd-resolved
sudo tailscale up --accept-dns=true
resolve.confIf your resolve.conf looks as follows, you're all good!
nameserver 127.0.0.53
options edns0 trust-ad
search tailxxxxx.ts.net
If previously, you've been using DoH (DNS Over HTTPS) in your browser, and want to shift to your new DoT configuration, do the following
For firefox based browsers:
settings -> Privacy and SecurityDNS over HTTPSOffFor chromium based browsers:
settings -> Privacy and SecurityUse Secure DNSAnd just like that, you've configured DoT for your system!