In this tutorial we learn how to enable system-wide DNS-over-HTTPS on linux to protect all queries. DNS-over-HTTPS, or simply DOH, encrypts DNS traffic by passing DNS queries through https.
This howto was tested on Fedora 38 but should work on other linux distributions too.
First we need to install dnscryp-proxy. It works as a client for DOH servers:
sudo dnf install dnscryp-proxy
Now we need to edit its config file using:
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml
In this example, we are adding 2 servers:
server_names = ['adfilter', 'ahadns']
listen_addresses = ['127.0.0.1:53']
You can also add more popular servers like 'cloudflare' or 'google' to server_name.
Now we scroll down to the [static] section and add these:
[static]
[static.'adfilter']
stamp= 'sdns://AgMAAAAAAAAADjE2My40Ny4xMTcuMTc2oMwQYNOcgym2K2-8fQ1t-TCYabmB5-Y5LVzY-kCPTYDmIEROvWe7g_iAezkh6TiskXi4gr1QqtsRIx8ETPXwjffOEGFkbC5hZGZpbHRlci5uZXQKL2Rucy1xdWVyeQ'
[static.'ahadns']
stamp= 'sdns://AgMAAAAAAAAACTUuMi43NS43NQARZG9oLm5sLmFoYWRucy5uZXQKL2Rucy1xdWVyeQ'
For any DOH server you need to find the "stamp". It's usually on the DNS provider website.
Now we can save the file and exit nano editor.
We should restart the service:
sudo systemctl restart dnscrypt-proxy.service
Now we need to make our system use this configuration. The default dns server on modern linux systems is called systemd-resolved.
We should tell systemd-resolved to forward all DNS queries to
dnscrypt-proxy, which is listening on 127.0.0.1:53.
To do so we create a so-called drop-in file for systemd-resolved using this command:
sudo cat <<EOF | sudo tee /etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=127.0.0.1
Domains=~.
EOF
We also need to make sure all lines in /etc/systemd/resolved.conf file are commented out.
Now we can restart the systemd resolver:
sudo systemctl restart systemd-resolved.service
If everything has been set correctly, our DNS queries should be encrypted and sent via https.
Top comments (0)