# DNS List of DNS servers * kuketz-blog * [https://www.kuketz-blog.de/empfehlungsecke/#dns]() * Digitalcourage * [https://digitalcourage.de/support/zensurfreier-dns-server]() * DoT, DNSSEC: 5.9.164.112:853#dns3.digitalcourage.de * DoT, DNSSEC: 46.182.19.48:853#dns2.digitalcourage.de * Digitale Gesellschaft * [https://www.digitale-gesellschaft.ch/dns/]() * DoT, DNSSEC: 185.95.218.42:853#dns.digitale-gesellschaft.ch * DoT, DNSSEC: 185.95.218.43:853#dns.digitale-gesellschaft.ch * UncensoredDNS * [https://blog.uncensoreddns.org/dns-servers/]() * 89.233.43.71:853#unicast.uncensoreddns.org * Freifunk München * [https://ffmuc.net/wiki/doku.php?id=knb:dohdot]() * DoT: 5.1.66.255:853#dot.ffmuc.net * DoH: 5.1.66.255:853#doh.ffmuc.net ## Unencrypted DNS - Network Manager Configuration * [https://wiki.archlinux.org/index.php/NetworkManager#Custom_DNS_servers]() ```shell echo '[global-dns-domain-*] # servers=serveripaddress1,serveripaddress2,serveripaddress3 servers=46.182.19.48,2a02:2970:1002::18,91.239.100.100,2001:67c:28a4::,89.233.43.71,2a01:3a0:53:53::' \ | sudo tee /etc/NetworkManager/conf.d/dns-servers.conf sudo systemctl restart NetworkManager ``` ## Encrypted DNS - systemd-resolved * [https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS]() * [https://www.freedesktop.org/software/systemd/man/resolved.conf.html]() * `domains=~.` * [https://unix.stackexchange.com/a/632292]() * [https://fedoramagazine.org/use-dns-over-tls/]() > systemd-resolved provides resolver services > for Domain Name System (DNS) (including DNSSEC > and DNS over TLS), Multicast DNS (mDNS) and > Link-Local Multicast Name Resolution (LLMNR) Installation: ```shell # already preinstalled, contains systemd-resolved sudo pacman -S --needed systemd # remove openresolv! It is in conflict with systemd-resolvd sudo pacman -Rns openresolv # optional: install resolvconf replacement (for use with systemd-resolved) sudo pacman -S --needed systemd-resolvconf ``` Resolver configuration: ```shell sudo mkdir -p /etc/systemd/resolved.conf.d echo \ '[Resolve] DNS=5.9.164.112:853#dns3.digitalcourage.de 46.182.19.48:853#dns2.digitalcourage.de DNSOverTLS=yes DNSSEC=yes FallbackDNS=185.95.218.42:853#dns.digitale-gesellschaft.ch 185.95.218.43:853#dns.digitale-gesellschaft.ch 89.233.43.71:853#unicast.uncensoreddns.org 5.1.66.255:853#dot.ffmuc.net Domains=~. Cache=yes #LLMNR=yes #MulticastDNS=yes #DNSStubListener=yes #ReadEtcHosts=yes' \ | sudo tee /etc/systemd/resolved.conf.d/DoT.conf >/dev/null ``` NetworkManager -> use systemd-resolved: - There are multiple alternatives to do this - From man page [https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html](): If resolv.conf is symlink (see symlink line below), then NetworkManager wil automatically use resolvd. This is the nicest method. - [https://wiki.archlinux.org/index.php/Systemd-resolved#DNS]() - Alternative: Add "[main] dns=systemd-resolved" to `/etc/NetworkManager/conf.d/dns.conf` - [https://wiki.archlinux.org/index.php/NetworkManager#systemd-resolved]() ```shell # resolv.conf generated by NetworkManager sudo systemctl stop NetworkManager if [ ! -f /etc/resolv.conf.backup ]; then sudo mv /etc/resolv.conf /etc/resolv.conf.backup; fi sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf ``` Enabling systemd-resolvd: ```shell sudo systemctl enable --now systemd-resolved.service ``` Restarting NetworkManager: ```shell sudo systemctl restart NetworkManager ``` After some seconds, `resolv.conf` should just contain `nameserver 127.0.0.53` ```shell cat /etc/resolv.conf ``` ## Troubleshooting ### View global and per-link DNS settings ```shell resolvectl status ``` ### Watch journal 1) Enable debug ```shell sudo systemctl edit systemd-resolved ``` ``` [Service] Environment=SYSTEMD_LOG_LEVEL=debug ``` ```shell sudo systemctl restart systemd-resolved ``` 2) View the log ```shell journalctl -u systemd-resolved -f ``` ## Verification of unencrypted DNS ```shell sudo pacman -S --needed ngrep sudo ngrep port 53 ``` The destination IP addresses should be one of the configured dns servers: ``` yoda@yodaTux ~ % sudo ngrep port 53 interface: wlp1s0 (192.168.178.0/255.255.255.0) filter: ( port 53 ) and ((ip || ip6) || (vlan && (ip || ip6))) # U 192.168.178.71:60481 -> 46.182.19.48:53 #1 <............wiki.archlinux.org..... ``` ## Verification of unencrypted DNS ```shell sudo pacman -S --needed ngrep # output should be empty sudo ngrep port 53 # configured DoT addresses should be visible sudo ngrep port 853 ``` ``` yoda@yodaTux ~ % sudo ngrep port 853 [...] # T 192.168.178.71:48350 -> 5.9.164.112:853 [AP] #274 ....P.G.B.(...%/. e"..A".w.>.h..a.../...<.3b. ^.d......'bj...w.qU.... ....90..4.LL.=.& ```