How to set DNS over TLS on Linux
Debian and most popular Linux distributions
For most modern Linux distributions, we recommend using systemd-resolved
Enable systemd-resolved
sudo systemctl enable --now systemd-resolvedEdit /etc/systemd/resolved.conf
sudo vim /etc/systemd/resolved.confHere's an example config:
/etc/systemd/resolved.conf
[Resolve]
DNS=185.222.222.222 45.11.45.11 2a09::#dot.sb 2a11::#dot.sb
DNSOverTLS=yes
DNSSEC=yesor
/etc/systemd/resolved.conf
[Resolve]
DNS=185.222.222.222#dot.sb 45.11.45.11#dot.sb 2a09::#dot.sb 2a11::#dot.sb
DNSOverTLS=yes
DNSSEC=yesRestart systemd-resolved
sudo systemctl restart systemd-resolvedEdit /etc/resolv.conf
sudo vim /etc/resolv.confSet nameserver to 127.0.0.53
/etc/resolv.conf
nameserver 127.0.0.53Test if DNS is working
root@server ~ # dig example.com
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63006
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 3309 IN A 93.184.216.34
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jul 02 10:29:59 UTC 2021
;; MSG SIZE rcvd: 56We can see the resonse DNS server is 127.0.0.53#53(127.0.0.53), which is working fine.