DNS over TLS (DoT) with mullvad

This guide assumes that you're running a systemd-based operating system

1. Configure systemd-resolved to use mullvad's DNS server

Add the following block to your /etc/systemd/resolved.conf

[Resolve]
DNS=194.242.2.4#base.dns.mullvad.net
FallbackDNS=194.242.2.2#dns.mullvad.net
DNSOverTLS=yes
DNSSEC=yes
Domains=~.

Once the changes are saved, restart systemd-resolved

sudo systemctl restart systemd-resolved

2. Make systemd-resolve take precedence over resolve.conf

To make sure your system uses systemd-resolved over resolv.conf, you need to create a symlink as follows:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

3. Make sure DNS is working as intended

Make sure you're able to resolve domain names as follows:

resolvectl query google.com

If you see output, you're golden!

4. An Edge Cases:

If you're using a service such as tailscale which overrides your resolv.conf upon start with its own magicDNS server, it may break your DoT setup. To make sure, tailscale never overrides your resolv.conf, do the following

Re-create the symlink as it was likely broken when tailscale started

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Restart tailscaled and systemd-resolved

sudo systemctl restart tailscaled
sudo systemctl restart systemd-resolved
sudo tailscale up --accept-dns=true

Check your resolve.conf

If your resolve.conf looks as follows, you're all good!

nameserver 127.0.0.53
options edns0 trust-ad
search tailxxxxx.ts.net

5. Configure Browsers with DoT

If previously, you've been using DoH (DNS Over HTTPS) in your browser, and want to shift to your new DoT configuration, do the following

For firefox based browsers:
- Navigate to settings -> Privacy and Security
- Scroll down to DNS over HTTPS
- Select Off
For chromium based browsers:
- Navigate to settings -> Privacy and Security
- Find Use Secure DNS
- Toggle it Off

And just like that, you've configured DoT for your system!