Encrypt Your DNS Requests Using DNS-over-TLS in Linux
Introduction
In today's digital landscape, ensuring privacy and security while browsing the internet is more important than ever. One key area that often goes overlooked is DNS (Domain Name System) queries. By default, DNS queries are sent in plaintext, which means anyone monitoring your network traffic can see which websites you're visiting. To mitigate this risk, DNS-over-TLS (DoT) encrypts DNS queries, providing a secure and private way to resolve domain names.
In this tutorial, we will guide you through the process of setting up DNS-over-TLS on a Linux system using Unbound, a popular and highly configurable DNS resolver. We'll also use Quad9, a DNS service that not only respects privacy but also blocks access to known malicious domains, adding an extra layer of security to your browsing experience.
Why Unbound?
Unbound is a versatile, open-source DNS resolver that offers advanced features like DNS caching, DNSSEC validation, and support for DNS-over-TLS. It is lightweight, highly customizable, and suitable for use as a local DNS resolver on individual machines or as a recursive DNS resolver for an entire network.
Why Quad9?
Quad9 is a globally distributed DNS service that focuses on privacy and security. It routes your DNS queries through a secure network and blocks access to known phishing, malware, and other malicious domains. By using Quad9 in conjunction with DNS-over-TLS, you can ensure that your DNS queries are not only encrypted but also filtered for security threats.
In this tutorial, we will walk you through installing and configuring Unbound to forward DNS queries to Quad9 using DNS-over-TLS, ensuring that your DNS traffic is both secure and private.
Step 1: Install a DNS Resolver
To encrypt your DNS requests using DNS-over-TLS, you'll need a DNS resolver that supports the protocol. Unbound is a popular choice.
Install Unbound
Install Unbound using your package manager:
sudo apt-get install unbound
Step 2: Configure Unbound for DNS-over-TLS with Quad9
You'll need to configure Unbound to use DNS-over-TLS by editing its configuration file.
-
Open the Unbound configuration file:
sudo nano /etc/unbound/unbound.conf.d/dns-over-tls.conf -
Add the following configuration:
This configuration will forward all DNS queries to Quad9 using DNS-over-TLS:
server:
# Enable DNS-over-TLS
ssl-upstream: yes
# Specify cache settings (optional)
cache-max-ttl: 86400
cache-min-ttl: 3600
forward-zone:
name: "."
forward-tls-upstream: yes
# Quad9 DNS servers with DNS-over-TLS
forward-addr: 9.9.9.9@853 # Quad9 primary
forward-addr: 149.112.112.112@853 # Quad9 secondary
forward-addr: 2620:fe::fe@853 # Quad9 IPv6 primary
forward-addr: 2620:fe::9@853 # Quad9 IPv6 secondary
This configuration does the following:
ssl-upstream: yes: Enables DNS-over-TLS for upstream queries.cache-max-ttlandcache-min-ttl: Configure caching for DNS responses.forward-zone: Defines the DNS servers to use, specifying the port853for DNS-over-TLS.
- Save and close the file (
Ctrl + X, thenY, andEnterin nano).
Step 3: Test and Restart Unbound
-
Test the Unbound configuration:
sudo unbound-checkconfIf there are no errors, proceed to the next step.
-
Restart Unbound to apply the changes:
sudo systemctl restart unbound -
Enable Unbound to start on boot:
sudo systemctl enable unbound
Step 4: Set Unbound as Your System's DNS Resolver
To ensure your system uses Unbound for DNS queries:
-
Edit your network configuration: Depending on your network manager, you may need to edit
/etc/resolv.confor use the Network Manager's GUI. -
Set
127.0.0.1as your DNS server:-
For systems using
/etc/resolv.conf, add the following line at the top of the file:nameserver 127.0.0.1
options edns0 trust-ad
search .Let's break down what these options mean:
options edns0: This option enables EDNS0 (Extension Mechanisms for DNS), which allows for larger DNS message sizes and is often used in modern DNS communications.trust-ad: This flag tells the system to trust DNS responses that have the "Authenticated Data" (AD) bit set, indicating that the DNS response has been authenticated by DNSSEC.search .: Thesearchdirective is typically used to specify a domain to search when a hostname isn't fully qualified. The.here represents the root domain, meaning it won't append any additional domains.- If using Network Manager, go to your connection settings and set
127.0.0.1as the DNS server.
- If using Network Manager, go to your connection settings and set
-
-
Prevent
resolv.conffrom being overwritten: If using/etc/resolv.conf, you can make it immutable to prevent changes:sudo chattr +i /etc/resolv.confThis command sets the immutable flag on /etc/resolv.conf, preventing any modifications (even by root) until you remove the flag with:
sudo chattr -i /etc/resolv.conf
Step 5: Verify DNS-over-TLS is Working
To confirm that your DNS requests are encrypted:
-
Use the
digcommand to check the DNS resolver:dig @127.0.0.1 www.example.com -
Use
unbound-hostto test DNS resolution:unbound-host -C /etc/unbound/unbound.conf www.example.com -
Check DNS traffic: You can use Wireshark or tcpdump to inspect DNS traffic and confirm that it is encrypted over port 853.
Summary
By following this tutorial, you've configured your Linux system to use DNS-over-TLS, ensuring that your DNS queries are encrypted and secure. This protects your browsing activity from being monitored or intercepted, enhancing your online privacy.
Additional Notes
- DNS-over-HTTPS (DoH) is another method of encrypting DNS requests that you may want to explore.
- Custom DNS Providers: You can add other DNS-over-TLS providers by specifying their IP addresses in the
forward-addrsection of the configuration.
This setup ensures that your DNS queries are securely encrypted, enhancing your overall online privacy and security.
Extra:
The error chattr: Operation not supported while reading flags on /etc/resolv.conf on Step 4.2 typically occurs because /etc/resolv.conf is not a regular file but a symlink managed by a network manager like NetworkManager or systemd-resolved. These services often automatically generate or overwrite the file based on your system's network configuration.
Steps to Resolve the Issue
Option 1: Disable Automatic Management of /etc/resolv.conf
If you want to prevent your system's network manager from overwriting /etc/resolv.conf, you can configure it to stop managing the file.
1. For NetworkManager:
-
Stop NetworkManager from managing
/etc/resolv.conf:sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.confOr, configure
NetworkManagerto stop managing/etc/resolv.confdirectly:sudo nano /etc/NetworkManager/NetworkManager.conf-
Add the following under the
[main]section:[main]
dns=none -
Restart NetworkManager:
sudo systemctl restart NetworkManager
-
2. For systemd-resolved:
-
Link
/etc/resolv.confto the staticresolv.confmanaged bysystemd-resolved:sudo rm /etc/resolv.conf
sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf -
Ensure
systemd-resolvedis running:sudo systemctl enable --now systemd-resolved
Option 2: Use a Custom resolv.conf Location
If you can't or don't want to stop the network manager from managing /etc/resolv.conf, you can configure Unbound or other software to use a custom resolv.conf location.
1. Create a Custom resolv.conf:
- Create a custom
resolv.conffile in a different location, such as/etc/unbound/resolv.conf:sudo nano /etc/unbound/resolv.conf - Add your DNS configuration:
nameserver 127.0.0.1
options edns0 trust-ad
search .
2. Configure Unbound to Use the Custom resolv.conf:
- If Unbound or any other service allows specifying a custom
resolv.conflocation, configure it accordingly.
Verify Your Configuration
After making these changes, test your DNS setup using dig or nslookup to ensure everything is working as expected.
By following these steps, you should be able to either protect /etc/resolv.conf from being overwritten or set up a custom configuration that suits your needs.