So for generic Linux distro with relative close-to-upstream kernel, systemd, glibc, toolchain, GNU utils, etc
- edit
/etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1 1.0.0.1 8.8.8.8
#FallbackDNS=1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
#Domains=
#LLMNR=yes
#MulticastDNS=yes
#DNSSEC=allow-downgrade
#DNSOverTLS=opportunistic
DNSSEC=yes
DNSOverTLS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
Ubuntu 20.04 specific resolved.conf
[Resolve]
DNS=1.1.1.1 1.0.0.1 8.8.8.8
FallbackDNS=1.1.1.1 8.8.8.10 8.8.8.8
#Domains=
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes
- Assume
systemd-resolvedis enabled, restart the service
systemctl restart systemd-resolved.service
- Use local stub resolver
systemd-resolved provides a local DNS stub listener on IP address 127.0.0.53 on the local loopback interface, so to use the DNS over TLS capable stub resolver, we’ll need to somehow manage /etc/resolv.conf and make sure 127.0.0.53 is used as nameserver.
NOTE: systemd maintains
/run/systemd/resolve/stub-resolv.conffor compatibility with traditional Linux programs. We can simply symlink to this file 😉
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
NOTE: For Arch Linux, I have to replace openresolvconf with systemd-resolvconf.
Done.
Validation
Generate DNS query, then check TCP connection to specified upstream DNS server via port 853, in the following example we explicitly used Cloudflare’s 1.1.1.1.
root@netbook:/etc# uname -a
Linux netbook 5.4.5-arch1-1 #1 SMP PREEMPT Wed, 18 Dec 2019 19:48:51 +0000 x86_64 GNU/Linux
root@netbook:~# dig github.com
;; DEBUG: Querying for owner(github.com.), class(1), type(1), server(127.0.0.53), port(53), protocol(UDP)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 55366
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; github.com. IN A
;; ANSWER SECTION:
github.com. 58 IN A 13.236.229.21
;; Received 44 B
;; Time 2019-12-21 22:55:13 AEDT
;; From 127.0.0.53@53(UDP) in 58.0 ms
root@netbook:~# ss -tuna | grep :853
tcp ESTAB 0 0 192.168.1.150:50504 1.1.1.1:853
tcp ESTAB 0 0 192.168.1.150:50506 1.1.1.1:853
