1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>subh.space</title>
<style>
:root {
--bg0: #282828;
--bg1: #3c3836;
--fg: #ebdbb2;
--gray: #928374;
--yellow: #fabd2f;
--green: #b8bb26;
--orange: #fe8019;
--aqua: #8ec07c;
}
body {
font-family: 'Iosevka Nerd Font Propo', Iosevka;
line-height: 1.7;
color: var(--fg);
background-color: var(--bg0);
max-width: 780px;
margin: 40px auto;
padding: 0 20px;
-webkit-font-smoothing: antialiased;
}
h1 {
font-size: 2.2em;
color: var(--yellow);
border-bottom: 2px solid var(--bg1);
padding-bottom: 15px;
margin-bottom: 30px;
}
h2 {
font-size: 1.5em;
color: var(--aqua);
margin-top: 35px;
margin-bottom: 15px;
font-weight: 600;
}
p { margin-bottom: 1.2em; }
code {
font-family: 'Fira Code', 'JetBrains Mono', 'Courier New', monospace;
background-color: var(--bg1);
color: var(--orange);
padding: 3px 6px;
border-radius: 4px;
font-size: 0.9em;
}
pre {
background-color: #1d2021;
padding: 20px;
border-radius: 8px;
overflow-x: auto;
border: 1px solid var(--bg1);
margin-bottom: 1.5em;
}
pre code {
background-color: transparent;
padding: 0;
color: var(--fg);
color-scheme: dark;
}
.language-toml { color: var(--fg); }
.toml-key { color: var(--green); }
ol, ul { margin-bottom: 1.5em; padding-left: 25px; }
li { margin-bottom: 0.8em; }
li pre { margin-top: 10px; margin-bottom: 10px; }
</style>
</head>
<body>
<h1>DNS over TLS (DoT) with cloudflare</h1>
<p>This guide assumes that you're running a systemd-based operating system</p>
<h2>1. Configure systemd-resolved to use cloudflare's DNS server</h2>
<p>Add the following block to your <code>/etc/systemd/resolved.conf</code></p>
<pre><code class="language-toml"><span class="toml-key">[Resolve]</span>
DNS=1.1.1.3#family.cloudflare-dns.com 2606:4700:4700::1113#family.cloudflare-dns.com
FallbackDNS=1.0.0.3#family.cloudflare-dns.com 2606:4700:4700::1003#family.cloudflare-dns.com
DNSOverTLS=yes
DNSSEC=yes
Domains=~.
</code></pre>
<p><code>1.1.1.3</code> and <code>1.0.0.3</code> are part of cloudflare's family-friendly DNS servers which block malware and adult contents. You can also use the default <code>1.1.1.1</code> DNS server for DoT.</p>
<p>Once the changes are saved, restart <code>systemd-resolved</code></p>
<pre><code class="language-shell">sudo systemctl restart systemd-resolved
</code></pre>
<h2>2. Make systemd-resolve take precedence over resolve.conf</h2>
<p>To make sure your system uses <code>systemd-resolved</code> over <code>resolv.conf</code>, you need to create a symlink as follows:</p>
<pre><code class="language-shell">sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
</code></pre>
<h2>3. Make sure DNS is working as intended</h2>
<p>Make sure you're able to resolve domain names as follows:</p>
<pre><code class="language-shell">resolvectl query google.com
</code></pre>
<p>If you see output, you're golden!</p>
<h2>4. An Edge Cases:</h2>
<p>If you're using a service such as tailscale which overrides your <code>resolv.conf</code> upon start with its own magicDNS server, it may break your DoT setup. To make sure, tailscale never overrides your <code>resolv.conf</code>, do the following</p>
<ol>
<li>Re-create the symlink as it was likely broken when tailscale started</li>
</ol>
<pre><code class="language-shell">sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
</code></pre>
<ol start="2">
<li>Restart <code>tailscaled</code> and <code>systemd-resolved</code></li>
</ol>
<pre><code class="language-shell">sudo systemctl restart tailscaled
sudo systemctl restart systemd-resolved
sudo tailscale up --accept-dns=true
</code></pre>
<ol start="3">
<li>Check your <code>resolve.conf</code></li>
</ol>
<p>If your <code>resolve.conf</code> looks as follows, you're all good!</p>
<pre><code class="language-shell">nameserver 127.0.0.53
options edns0 trust-ad
search tailxxxxx.ts.net
</code></pre>
<h2>5. Configure Browsers with DoT</h2>
<p>If previously, you've been using DoH (DNS Over HTTPS) in your browser, and want to shift to your new DoT configuration, do the following</p>
<ol>
<li>
<p>For firefox based browsers:</p>
<ul>
<li>Navigate to <code>settings</code> -> <code>Privacy and Security</code></li>
<li>Scroll down to <code>DNS over HTTPS</code></li>
<li>Select <code>Off</code></li>
</ul>
</li>
<li>
<p>For chromium based browsers:</p>
<ul>
<li>Navigate to <code>settings</code> -> <code>Privacy and Security</code></li>
<li>Find <code>Use Secure DNS</code></li>
<li>Toggle it Off</li>
</ul>
</li>
</ol>
<p>And just like that, you've configured DoT for your system!</p>
</body>
</html>
|
