Encrypting DNS traffic on Linux with DoT

Curious Looks

Deploying DoT Globally

If you want to enable DoT on more than a single interface, you can adjust the global settings for the service in the resolved.conf file:

grep -v '^#' /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#one.one.one.one
DNSOverTLS=yes

Then, restart the service with

systemctl restart systemd-resolved

after making the changes.

Conclusions

The DoT standard supports encrypted communication on a DNS server over a dedicated network port. You can also ensure the authenticity of a server with the help of the X.509 certificate. To give applications on a system secure access to a DNS server, the local resolver also needs to support this standard. On Linux, the systemd-resolved service is the ideal choice for this job, because it is included in the software repositories of the vast majority of popular distributions and lets you configure the services easily.

The Author

Thorsten Scherf is the global Product Lead for Identity Management and Platform Security in Red Hat's Product Experience group. He is a regular speaker at various international conferences and writes a lot about open source software.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus