Skip to main content

DNS over TLS - Ubuntu 20.04 / Linux Mint 20.3 (Native)

Zachary
Updated

Introduction

Note: The maintainers of systemd-resolved emphasize that this DNS over TLS implementation is currently a work in progress. You may consider using Stubby instead if experiencing performance issues. See here for Ubuntu 18.04 / 20.04 + Stubby instructions.

Ubuntu 20.04 and Linux Mint 20.3 support DNS over TLS natively in systemd-resolved, but the option is not available in the GUI.

Steps

1. Configure Quad9 in the Network Settings (Ubuntu, Linux Mint).

2. Open the Terminal application, and copy/paste these commands to enable DNS over TLS. When prompted for your password, type it in and hit "Enter".

sudo sed -i 's/#DNSOverTLS=no/DNSOverTLS=yes/g' /etc/systemd/resolved.conf

3. Restart the systemd-resolvd and networking services to recognize the changes to the file:

sudo systemctl restart systemd-resolved.service && sudo service network-manager restart

4. Confirm that DNS over TLS is being used by opening the Terminal application and running the following command, typing in your password and pressing "Enter":

sudo tcpdump -i any 'port 853'

5. Visit some websites which you have not visited in a while, so the DNS query will be sent to Quad9.

6. If DNS over TLS is being used, you'll see any output that looks like this:

10:07:49.877905 IP 10.0.2.15.42390 > 149.112.112.112.853: Flags [P.], seq 2559080296:2559080320, ack 126340207, win 62780, length 24
10:07:49.878127 IP 149.112.112.112.853 > 10.0.2.15.42390: Flags [.], ack 24, win 65535, length 0
10:07:49.884496 IP 149.112.112.112.853 > 10.0.2.15.42390: Flags [P.], seq 1:25, ack 24, win 65535, length 24
10:07:49.884517 IP 10.0.2.15.42390 > 149.112.112.112.853: Flags [.], ack 25, win 62780, length 0
10:07:49.884534 IP 149.112.112.112.853 > 10.0.2.15.42390: Flags [F.], seq 25, ack 24, win 65535, length 0
10:07:49.884626 IP 10.0.2.15.42390 > 149.112.112.112.853: Flags [F.], seq 24, ack 26, win 62780, length 0
10:07:49.884696 IP 149.112.112.112.853 > 10.0.2.15.42390: Flags [.], ack 25, win 65535, length 0

 

Undo

If you experience any issues or want to undo this configuration change:

1. Open the Terminal application, and copy/paste these commands to disable DNS over TLS. You'll be prompted for your password.

sudo sed -i 's/DNSOverTLS=yes/#DNSOverTLS=no/g' /etc/systemd/resolved.conf

 

2. Restart the systemd-resolvd and networking services to recognize the changes to the file we just made:

sudo systemctl restart systemd-resolved.service && sudo service network-manager restart

 

Questions, concerns, issues?

Contact our support team.

Related articles

Comments

0 comments

Please sign in to leave a comment.