Encrypting DNS traffic on Linux with DoT

Curious Looks

Deploying DoT Globally

If you want to enable DoT on more than a single interface, you can adjust the global settings for the service in the resolved.conf file:

grep -v '^#' /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1#one.one.one.one
DNSOverTLS=yes

Then, restart the service with

systemctl restart systemd-resolved

after making the changes.

Conclusions

The DoT standard supports encrypted communication on a DNS server over a dedicated network port. You can also ensure the authenticity of a server with the help of the X.509 certificate. To give applications on a system secure access to a DNS server, the local resolver also needs to support this standard. On Linux, the systemd-resolved service is the ideal choice for this job, because it is included in the software repositories of the vast majority of popular distributions and lets you configure the services easily.

Infos

RFC 8484: https://datatracker.ietf.org/doc/html/rfc8484
Public DNS servers with DoH support: https://dnscrypt.info/public-servers/
RFC 7858: https://datatracker.ietf.org/doc/html/rfc7858
Cloudfare DNS: https://one.one.one.one
Knot DNS server: https://www.knot-dns.cz

The Author

Thorsten Scherf is the global Product Lead for Identity Management and Platform Security in Red Hat's Product Experience group. He is a regular speaker at various international conferences and writes a lot about open source software.

« Previous 1 2