DEV Community

Cover image for Using DNS over TLS on openSUSE Linux in 4 easy steps, enable cloud firewall for free today!
Archer Allstars
Archer Allstars

Posted on • Edited on

Using DNS over TLS on openSUSE Linux in 4 easy steps, enable cloud firewall for free today!

Even though we can have DNS over TLS (DoT) enabled easily since Android 9 with Private DNS option (all we need is a TLS address of the DNS resolver service we want to use), it's not as easy on Linux. There's already a request to have this feature in the settings menu (GNOME). Until then, we'll have to do a little bit of CLI in a terminal. Therefore, I think it's worth writing here.

What is DNS over TLS? Why is it so important? How would this help your system to be more secure (for free)? Basically, DNS protection means you block bad web addresses, hence significantly reducing the chance of malicious software/scams/etc. from entering your system, rather than let it get in first then (hopefully) fix it later. I recommend reading this link for more info.

The main purpose of this post today is how to turn this feature on easily in just 4 steps. Without further ado, let's enable DNS over TLS (DoT) on openSUSE Tumbleweed in the easiest and straight forward way.


1. Install systemd-network package.

We need to install systemd-network package, which is not installed by default on openSUSE Tumbleweed. Because this package provides systemd-resolved that we'll use as our new resolver service.



sudo zypper install systemd-network


Enter fullscreen mode Exit fullscreen mode

2. Edit /etc/systemd/resolved.conf file.

First, you have to decide whether you want to globally enable DNS over TLS on all connections from now on, or just per connection basis (useful if you want to use different DNS resolver services for your connections).
 

2.1. Setting up DNS over TLS globally for all connections.

This is easy and I would recommend anyone to go with this route. So, we can set it and forget it. We will edit /etc/systemd/resolved.conf file by:



sudo nano /etc/systemd/resolved.conf


Enter fullscreen mode Exit fullscreen mode

Inside the file, all lines are commented with # (have no effect) by default. We will change DNS= and DNSOverTLS=no by removing # in front of them first (uncommenting the lines).



[Resolve]
DNS=
DNSOverTLS=no


Enter fullscreen mode Exit fullscreen mode

For DNS=, we will have to decide which DNS resolver service we want to use as our DNS resolver. I recommend Quad9, as it also comes with anti-malware and other security features by default. The test result from Lawrence Systems when comparing Cloudflare and NextDNS is pretty impressive. So, this will be our cloud firewall. Also, Quad9 does not collect identifiable data from the users, see from their privacy policy here.

DNSOverTLS is a switch. We can turn DNS over TLS on by yes, and off by no. Moreover, if we set this switch to yes, it's also a kill switch, i.e. If our DNS resolver is down or doesn't support encryption (your ISP's DNS resolver), we won't be able to connect to the internet at all. However, if by any chance, you want to connect to the internet even without DNS encryption/fallback to your current insecure connection, you can set this switch to opportunistic - NOT RECOMMEND.

Therefore, here's our setting in /etc/systemd/resolved.conf:



[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSOverTLS=yes


Enter fullscreen mode Exit fullscreen mode

For more options on Quad9 address, see here.

 

2.2. Setting up DNS over TLS as per connection.

Open your connection settings in GNOME Settings. Then in IPv4 tab, turn the Automatic DNS switch off, then fill in the IPv4 address of your preferred DNS resolver service - I recommend Quad9, as shown in the screenshot below:

Image description

Also fill in the IPv6 address accordingly, as shown in the screenshot below:

Image description

Don't forget to hit Apply button to save the settings!

Then, open /etc/systemd/resolved.conf file by sudo nano /etc/systemd/resolved.conf. Then, in the file:



[Resolve]
DNSOverTLS=yes


Enter fullscreen mode Exit fullscreen mode

DNSOverTLS can be yes if you want a kill switch (you won't be able to connect to the internet by default, unless you set up DNS resolver address that supports DNS encryption), or opportunistic to connect to everything first, then set it later.

For more options on Quad9 address, see here.


3. Make a necessary symlink.

In order to make use of systemd-resolved that we configured in the previous step, we'll have to make /etc/resolv.conf a symlink to /run/systemd/resolve/stub-resolv.conf. We can make this symlink by:



sudo ln -sf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf


Enter fullscreen mode Exit fullscreen mode
  • ln command is used to create links between files.
  • -sf It's the combination of option -s for --symbolic and option -f for --force. We use this option to force make a symlink.

4. Enable systemd-resolved



sudo systemctl enable systemd-resolved.service


Enter fullscreen mode Exit fullscreen mode

5. Restart the network to enable systemd-resolved, and finally enable DNS over TLS.

This is the last step! Before we can see our changes, we will need to restart both systemd-resolved and NetworkManager services by:



sudo systemctl restart systemd-resolved.service && sudo service NetworkManager restart


Enter fullscreen mode Exit fullscreen mode

Robot

After all the steps above, now we should have our DNS over TLS enabled. We can check this by running in the terminal (see here):



dig +short txt proto.on.quad9.net.


Enter fullscreen mode Exit fullscreen mode

If the response is dot., then it is working! And we can check whether we've configured Quad9 properly on Quad9 test page here.

Another page I would recommend for checking your DNS security is dnscheck.tools.

Note: DNSSEC feature in systemd-resolved is an experimental feature, but it hasn't been ducumented as such for some reasons, see systemd's PR #28386. Basically, no one should use this feature in their production and expect the feature to work correctly. That's why I don't enable DNSSEC in this walkthrough. Also, DNSSEC is implemented and enabled on Quad9's resolver by default. So, there's no need to enable it in your system.

I think this is it for today. I hope this helps, bye 💨


Cover Photo by Patrick Turner on Unsplash

Robot Photo by Arseny Togulev on Unsplash

Top comments (7)

Collapse
 
arcadian121 profile image
Mike

Thank you very much for this blog. Finally I can use secure DNS on tumbleweed.

Collapse
 
archerallstars profile image
Archer Allstars

Thanks! I am glad it helps 🥰

Collapse
 
kengreen profile image
kendall green

I am trying to set up DNSSEC on Tumbleweed using Wicked. Wicked worked fine with DHCP but when adding systemd-resolved it fails to make a connection, "connections error to ::1#53: connection refused"
"no servers could be reached" using nslookup or dig
Any help appreciated.

Collapse
 
archerallstars profile image
Archer Allstars

I am not familiar with Wicked. I would recommend using only systemd-resolved if you could, as it's not made specifically for any distro in mind. It also integrates well with the system, if not better than Wicked.

Collapse
 
kengreen profile image
kendall green

I got it to work with Wicked and systemd-resolved.conf. I added DNSSEC=yes to /etc/systemd/resolved.conf and linked /etc/resolv.conf to /run/netconfig/resolv.conf

Thread Thread
 
archerallstars profile image
Archer Allstars

I'm glad it works out for you! 👍️

Collapse
 
kengreen profile image
kendall green

Wicked is like NetworkManager or WICD. I am also using xfce4 rather than gnome. I can switch over to NetworkManager but then YAST can't configure some of the Network settings. I added the package systemd-resolved, but there is no resolved.conf, just resolved.conf.d. I added resolved.conf as you indicated but there is no /run/systemd/resolve/stub-resolv.conf to link to resolved.conf. I am running tumbleweed version 20240712