Article Summary:
Describe how to enable system-wide encrypted DNS (DNS over TLS) on Fedora 42 and rawhide not only for a runtime but also during boot time and system installation.
Article Description:
A Red Hat working group has worked to deliver support of system-wide encrypted DNS to fulfil the requirements for Zero Trust Networks, this means that encrypted DNS has to be enabled not only during system runtime but also during the boot process for network boots, or even during system installation itself, including support for custom CA certificates.
The latest bits have landed in Fedora 42 (except installation, which is available in F43/rawhide), this article should advertise this to users and provide a guide to enable it.
While runtime DoT have been possible via systemd-resolved for some time now, it was not possible to enable it during installation or boot time. Additionally, systemd-resolved remains to be controversial topic, there is not much development going on and many advanced users just disable it right away for various reasons. Therefore after discussion with systemd developers, we decided to use different DNS resolver - unbound and integrate it into system using NetworkManager and dnsconfd service. The final solution allows you to configure DNS over TLS server via NetworkManager, enable it for boot time using dracut modules and also enable it immediately for installation using kernel arguments.
I am happy to contribute the article myself.