mirror of
https://codeberg.org/privacy1st/arch
synced 2024-12-23 01:16:04 +01:00
4.3 KiB
4.3 KiB
DNS
List of DNS servers
- kuketz-blog
- Digitalcourage
- https://digitalcourage.de/support/zensurfreier-dns-server
- DoT, DNSSEC: 5.9.164.112:853#dns3.digitalcourage.de
- DoT, DNSSEC: 46.182.19.48:853#dns2.digitalcourage.de
- Digitale Gesellschaft
- https://www.digitale-gesellschaft.ch/dns/
- DoT, DNSSEC: 185.95.218.42:853#dns.digitale-gesellschaft.ch
- DoT, DNSSEC: 185.95.218.43:853#dns.digitale-gesellschaft.ch
- UncensoredDNS
- https://blog.uncensoreddns.org/dns-servers/
- 89.233.43.71:853#unicast.uncensoreddns.org
- https://ffmuc.net/wiki/doku.php?id=knb:dohdot
- 5.1.66.255:853#dot.ffmuc.net
Unencrypted DNS - Network Manager Configuration
echo '[global-dns-domain-*]
# servers=serveripaddress1,serveripaddress2,serveripaddress3
servers=46.182.19.48,2a02:2970:1002::18,91.239.100.100,2001:67c:28a4::,89.233.43.71,2a01:3a0:53:53::' \
| sudo tee /etc/NetworkManager/conf.d/dns-servers.conf
sudo systemctl restart NetworkManager
Encrypted DNS - systemd-resolved
- https://wiki.archlinux.org/index.php/Systemd-resolved#DNS_over_TLS
- https://www.freedesktop.org/software/systemd/man/resolved.conf.html#
domains=~.
- https://fedoramagazine.org/use-dns-over-tls/
systemd-resolved provides resolver services for Domain Name System (DNS) (including DNSSEC and DNS over TLS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR)
Installation:
# already preinstalled, contains systemd-resolved
sudo pacman -S --needed systemd
# remove openresolv! It is in conflict with systemd-resolvd
sudo pacman -Rns openresolv
# optional: install resolvconf replacement (for use with systemd-resolved)
sudo pacman -S --needed systemd-resolvconf
Resolver configuration:
sudo mkdir -p /etc/systemd/resolved.conf.d
echo \
'[Resolve]
DNS=5.9.164.112:853#dns3.digitalcourage.de 46.182.19.48:853#dns2.digitalcourage.de
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=185.95.218.42:853#dns.digitale-gesellschaft.ch 185.95.218.43:853#dns.digitale-gesellschaft.ch 89.233.43.71:853#unicast.uncensoreddns.org 5.1.66.255:853#dot.ffmuc.net
Domains=~.
Cache=yes
#LLMNR=yes
#MulticastDNS=yes
#DNSStubListener=yes
#ReadEtcHosts=yes' \
| sudo tee /etc/systemd/resolved.conf.d/DoT.conf >/dev/null
NetworkManager -> use systemd-resolved:
- There are multiple alternatives to do this
- From man page https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html: If resolv.conf is symlink (see symlink line below), then NetworkManager wil automatically use resolvd. This is the nicest method.
- Alternative: Add "[main] dns=systemd-resolved" to /etc/NetworkManager/conf.d/dns.conf
# resolv.conf generated by NetworkManager
sudo systemctl stop NetworkManager
if [ ! -f /etc/resolv.conf.backup ]; then sudo mv /etc/resolv.conf /etc/resolv.conf.backup; fi
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
Enabling systemd-resolvd:
sudo systemctl enable --now systemd-resolved.service
Restarting NetworkManager:
sudo systemctl restart NetworkManager
After some seconds, resolv.conf
should just contain nameserver 127.0.0.53
cat /etc/resolv.conf
See also: resolvectl status
Verification of unencrypted DNS
sudo pacman -S --needed ngrep
sudo ngrep port 53
The destination IP addresses should be one of the configured dns servers:
yoda@yodaTux ~ % sudo ngrep port 53
interface: wlp1s0 (192.168.178.0/255.255.255.0)
filter: ( port 53 ) and ((ip || ip6) || (vlan && (ip || ip6)))
#
U 192.168.178.71:60481 -> 46.182.19.48:53 #1
<............wiki.archlinux.org.....
Verification of unencrypted DNS
sudo pacman -S --needed ngrep
# output should be empty
sudo ngrep port 53
# configured DoT addresses should be visible
sudo ngrep port 853
yoda@yodaTux ~ % sudo ngrep port 853
[...]
#
T 192.168.178.71:48350 -> 5.9.164.112:853 [AP] #274
....P.G.B.(...%/. e"..A".w.>.h..a.../...<.3b.
^.d......'bj...w.qU.... ....90..4.LL.=.&