Enable DoT(DNS over TLS) on Linux
Dns queries are by default sent using plaintext, which means anyone snooping on the same network you are on can find out all the websites you are visiting, even worse responses to these queries can be tampered with and instead of just snooping bad actors can redirect you to malicious servers instead of the websites you want to visit.
DoT works by encrypting these DNS queries with TLS on top of the UDP(or in some cases TCP) packets that are used by DNS, that means you can have the same protection as if you are using HTTPS for DNS.
Enable DoT using stubby
stubby is an application that acts like a local dns resolver, it encrypts all DNS traffic by default using TLS, so to enable DoT you can install stubby and configure your network settings to use it as the DNS server:
1- Install stubby using your distro package manager(sudo apt install stubby/sudo pacman -S stubby …)
2- Configure stubby, the default configuration is located at /etc/stubby/stubby.yml and a good starting point,
I only uncommented few lines:
listen_addresses:
- 127.0.0.1:8053
- 0::1@8053
and under the section ### Anycast services ### in addition to quad9 I uncommented cloudflare servers.
The reason I changed the default listen_addresses is that I wanted to use the port 8053 instead of 53 and leave that free
so that I can configure dnsmasq to use it(next section), if you don’t want to use dnsmasq then leave the default and skip
the next section completely.
When editing the config be careful with whitespaces, since the file is in yaml format, a single whitespace in the wrong place
means the config will be invalid, once you are done editing you can use sudo stubby -i to validate the config syntax.
Once you are done enable and start the stubby systemd service: sudo systemctl enable --now stubby.service
Make DNS Queries Faster using dnsmasq
dnsmasq is a lightweight DNS caching and DHCP server app, you will be using it to cache the resuls of upstream DNS servers, on my machine this saved me at least ~300ms for each request, the idea is to configure your machine to use dnsmasq as the dns resolver, and then set stubby as the upstream dns server on dnsmasq.
Similar to stubby you should be able to install it using your package manager, and also make very few modifications to
the default config under /etc/dnsmasq.conf:
1- uncomment #dnssec, this will enable dnssec validation and caching, dnssec
in short this makes sure that the upstream resolver that returns a result of dns query is really the right authoritative name server.
2- use the address you configured as listen_addresses on stubby with server config:
server=127.0.0.1#8053
server=::1#8053
3- increase the cache-size: cache-size=10000
That should be mostly it, you can read the rest of the config and see if you would like make more changes, there are some useful options like giving LAN devices DNS hostnames that you can use to access them instead of ip addresses, or block some domains which can be used as a sort of parental control, or ad blocker similar to what pi-hole or adguard do.
Once you are done verify that the config syntax is correct: dnsmasq --test, if everything ok so far enable the systemd service:
sudo systemctl enable --now dnsmasq.service
Configure your device to use dnsmasq as the resolver
There are multiple ways to do it, it can be as simple as edit the individual connection and using localhost as a resolver, the most reliable
way to do it is by editing /etc/resolv.conf:
nameserver 127.0.0.1
nameserver ::1
Make sure that these are the only two entries in the file, after that protect the file from being overwritten by NetworkManager:
sudo chattr +i /etc/resolv.conf
Can I use this to get around censorship/hide my internet activity?
No, DNS is just for translating domain names to ip addresses, while some ISPs use DNS for soft banning sites, most will outright ban the site IP address/es, Your traffic will still have to hop through your ISP network first, and the final destination IP address will be in those internet packets, you can use a vpn service to hide your traffic from your ISP/Government(but your vpn service provider will have that information instead), or you use Tor, or rent a simple VPS and setup openvpn there and use it.