home git github notes hackthebox

DNS over TLS (DoT) with Mullvad

This guide assumes that you're running a systemd-based operating system.

1. Configure systemd-resolved

Add the following block to your /etc/systemd/resolved.conf:

[Resolve]
DNS=194.242.2.4#base.dns.mullvad.net
FallbackDNS=194.242.2.2#dns.mullvad.net
DNSOverTLS=yes
DNSSEC=yes
Domains=~.

Once the changes are saved, restart systemd-resolved:

sudo systemctl restart systemd-resolved

2. Symlink resolv.conf

To make sure your system uses systemd-resolved over the traditional resolv.conf, create a symlink:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

3. Verify DNS resolution

Check if you are able to resolve domain names correctly:

resolvectl query google.com

If you see output, you're golden!

4. Edge Cases: Tailscale

If you're using a service such as Tailscale which overrides your resolv.conf with MagicDNS, it may break your DoT setup. To fix this:

  1. Re-create the symlink: sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
  2. Restart the services:
sudo systemctl restart tailscaled
sudo systemctl restart systemd-resolved
sudo tailscale up --accept-dns=true

If your resolve.conf looks like this, you're all good:

nameserver 127.0.0.53
options edns0 trust-ad
search tailxxxxx.ts.net

5. Configure Browsers

If you were previously using DoH (DNS Over HTTPS) and want to shift to system-wide DoT:

Firefox-based browsers:

Settings -> Privacy and Security -> DNS over HTTPS -> Off

Chromium-based browsers:

Settings -> Privacy and Security -> Use Secure DNS -> Off

And just like that, you've configured DoT for your system!