arch/pkg/de-p1st-dns
2022-05-10 13:44:49 +02:00
..
.install add aacskeys, makemkv, rebuild handbrake-full, update 2022-05-10 13:44:49 +02:00
dns.conf add DNS 2021-04-23 13:15:37 +02:00
DoT.conf add DNS 2021-04-23 13:15:37 +02:00
PKGBUILD add aacskeys, makemkv, rebuild handbrake-full, update 2022-05-10 13:44:49 +02:00
README.md add aacskeys, makemkv, rebuild handbrake-full, update 2022-05-10 13:44:49 +02:00
systemd.preset add DNS 2021-04-23 13:15:37 +02:00
TESTED gnupg 2021-06-15 12:39:36 +02:00

DNS

List of DNS servers

Unencrypted DNS - Network Manager Configuration

echo '[global-dns-domain-*]
# servers=serveripaddress1,serveripaddress2,serveripaddress3
servers=46.182.19.48,2a02:2970:1002::18,91.239.100.100,2001:67c:28a4::,89.233.43.71,2a01:3a0:53:53::' \
| sudo tee /etc/NetworkManager/conf.d/dns-servers.conf

sudo systemctl restart NetworkManager

Encrypted DNS - systemd-resolved

systemd-resolved provides resolver services for Domain Name System (DNS) (including DNSSEC and DNS over TLS), Multicast DNS (mDNS) and Link-Local Multicast Name Resolution (LLMNR)

Installation:

# already preinstalled, contains systemd-resolved
sudo pacman -S --needed systemd

# remove openresolv! It is in conflict with systemd-resolvd
sudo pacman -Rns openresolv

# optional: install resolvconf replacement (for use with systemd-resolved)
sudo pacman -S --needed systemd-resolvconf

Resolver configuration:

sudo mkdir -p /etc/systemd/resolved.conf.d

echo \
'[Resolve]
DNS=5.9.164.112:853#dns3.digitalcourage.de 46.182.19.48:853#dns2.digitalcourage.de
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=185.95.218.42:853#dns.digitale-gesellschaft.ch 185.95.218.43:853#dns.digitale-gesellschaft.ch 89.233.43.71:853#unicast.uncensoreddns.org 5.1.66.255:853#dot.ffmuc.net
Domains=~.
Cache=yes
#LLMNR=yes
#MulticastDNS=yes
#DNSStubListener=yes
#ReadEtcHosts=yes' \
| sudo tee /etc/systemd/resolved.conf.d/DoT.conf >/dev/null

NetworkManager -> use systemd-resolved:

# resolv.conf generated by NetworkManager
sudo systemctl stop NetworkManager
if [ ! -f /etc/resolv.conf.backup ]; then sudo mv /etc/resolv.conf /etc/resolv.conf.backup; fi 
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Enabling systemd-resolvd:

sudo systemctl enable --now systemd-resolved.service

Restarting NetworkManager:

sudo systemctl restart NetworkManager

After some seconds, resolv.conf should just contain nameserver 127.0.0.53

cat /etc/resolv.conf

Troubleshooting

resolvectl status

Watch journal

  1. Enable debug
sudo systemctl edit systemd-resolved
[Service]
Environment=SYSTEMD_LOG_LEVEL=debug
sudo systemctl restart systemd-resolved
  1. View the log
journalctl -u systemd-resolved -f

Verification of unencrypted DNS

sudo pacman -S --needed ngrep

sudo ngrep port 53

The destination IP addresses should be one of the configured dns servers:

yoda@yodaTux ~ % sudo ngrep port 53
interface: wlp1s0 (192.168.178.0/255.255.255.0)
filter: ( port 53 ) and ((ip || ip6) || (vlan && (ip || ip6)))
#
U 192.168.178.71:60481 -> 46.182.19.48:53 #1
  <............wiki.archlinux.org..... 

Verification of unencrypted DNS

sudo pacman -S --needed ngrep

# output should be empty
sudo ngrep port 53

# configured DoT addresses should be visible
sudo ngrep port 853
yoda@yodaTux ~ % sudo ngrep port 853
[...]
#
T 192.168.178.71:48350 -> 5.9.164.112:853 [AP] #274
  ....P.G.B.(...%/. e"..A".w.>.h..a.../...<.3b.
  ^.d......'bj...w.qU.... ....90..4.LL.=.&