How to get DNS privacy protection on Linux with DNS over TLS
Each day, your computer sends out thousands of DNS queries to the internet. In most cases, your operating system doesn’t protect these queries, and the wrong person with the right amount of know-how can invade your privacy.
In the past on Addictivetips, I’ve talked about DNSCrypt. It’s an excellent way to get DNS privacy protection. However, it’s not the only solution out there. As it turns out, another option is to send DNS over TLS.
Method 1 – Stubby
Stubby is an easy program that works on some Linux distributions which allow users to send DNS queries over TLS.
The Stubby tool works on Ubuntu Linux, Debian Linux, and Arch Linux. To install this tool, launch a terminal window by pressing Ctrl + Alt + T or Ctrl + Shift + T on the keyboard. Then, follow the command-line instructions that correspond to the Linux operating system you are currently using.
Ubuntu
To install Stubby on Ubuntu, you’ll first need to enable the Ubuntu “Universe” software repository. To do this, use the apt-add-repository command in a terminal window.
sudo add-apt-repository universe
After running the add-apt-repository command, it’s time to use the update tool, to have Ubuntu check for software upgrades. It’ll also download the release information to the Universe software source and add it to your system.
sudo apt update
Once the update command is finished up, use the Apt install command to install Stubby on your Ubuntu Linux operating system.
sudo apt install stubby
Debian
On Debian, for versions 10, “Sid” the Stubby tool can be found in the “Main” software repository. To install it, launch a terminal window and use the Apt-get command below.
sudo apt-get install stubby
Arch Linux
Arch Linux users can install Stubby if they have the “Community” software repository set up. To set it up, edit /etc/pacman.conf, scroll to the bottom of the file, remove the # symbols from in front of “Community” and update your system.
Once “Community” is set up, install the Stubby application using the Pacman package manager.
sudo pacman -S stubby
Now that the Stubby application is set up, there’s no need to modify any of the configuration files, because Stubby comes preset with some excellent DNS services that support TLS.
Note: if you wish to change DNS services, edit /etc/stubby/stubby.yml.
The last step in setting up DNS over TLS with Stubby is to change your default DNS settings from whatever address you currently use to the address 127.0.0.1.
Changing DNS settings is different depending on what Linux desktop environment you are using, so we won’t cover it in this post. Instead, head over to our guide on how to change DNS settings for more information.
When the DNS settings are changed to 127.0.0.1, your Linux machine should be using DNS over TLS!
Method 2 – Systemd-resolved
While the Stubby tool is easy to configure and makes sending DNS over TLS on Linux quite straight-forward, it sadly doesn’t work on every single distribution.
A great alternative to the Stubby program for configuring DNS over TLS on Linux is to make use of the Systemd-resolved DNS caching system. The main reason for this is that it’s built into the Systemd init system that most Linux operating systems already use, and it’s easy to start using. Though, keep in mind that before setting up Systemd-resolved for DNS over TLS, you must turn off the DNS cache system you currently use in favor of Systemd-resolved.
To set up the Systemd-resolved system, launch a command-line terminal by pressing Ctrl + Alt + T or Ctrl + Shift + T on the keyboard. Then, use the systemctl command to disable the DNS cache system you use.
Note: if you do not use DNS Masq or NSCD you likely already use Systemd-resolved and do not need to disable anything.
DNS Masq
sudo systemctl stop dnsmasq.service
sudo systemctl disable dnsmasq.service -f
NSCD
sudo systemctl stop nscd.service -f sudo systemctl disable nscd.service -f
With your default DNS provider shut off on your Linux PC, it’s time to switch over to Systemd-resolved. To do this, once again make use of the systemctl command.
sudo systemctl enable systemd-resolved.service -f sudo systemctl start systemd-resolved.service
With the tool enabled via Systemd, we can configure the program to use DNS over TLS. To start, launch the tool’s configuration file in Nano.
sudo nano -w /etc/systemd/resolved.conf
Edit the Resolved.conf file with Nano, and scroll down to DNS=.
After the = sign, add in a secure, TLS-enabled DNS server, such as CloudFlare’s privacy DNS server. It should look like:
DNS=1.1.1.1
Next, move down to Domains= and change it to look like the code below.
Domains=~.
Following “Domains,” move down to DNSOverTLS= and change it to look like the code below.
DNSOverTLS=opportunistic
Save the edits to Resolved.conf by pressing Ctrl + O, then exit with Ctrl + X and restart your DNS system to enable DNS over TLS with Systemd-resolved!
sudo systemctl restart systemd-resolved
Thanks for the guide. The internet in my new place seems to be filtered by the ISP and it appears to work fine on my android with 1.1.1.1 app installed so I figured I could workaround the filter through DNS settings. Simply changing DNS server in connection settings didn’t work but your second method worked perfectly. You’re a star.