i use nextdns conf
/etc/systemd/resolved.conf to edit and use this as dns
but i could not find anything like this can anyone help
Should be the same process as in that thread.
man resolved.conf
DNSOverTLS=
Takes a boolean argument or "opportunistic". If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and
has a valid certificate. If the hostname was specified in DNS= by using the format "address#server_name" it is used to validate its certificate and also to enable Server Name
Indication (SNI) when opening a TLS connection. Otherwise the certificate is checked against the server's IP. If the DNS server does not support DNS-over-TLS all DNS requests
will fail.
When set to "opportunistic" DNS request are attempted to send encrypted with DNS-over-TLS. If the DNS server does not support TLS, DNS-over-TLS is disabled. Note that this mode
makes DNS-over-TLS vulnerable to "downgrade" attacks, where an attacker might be able to trigger a downgrade to non-encrypted mode by synthesizing a response that suggests
DNS-over-TLS was not supported. If set to false, DNS lookups are send over UDP.
Note that DNS-over-TLS requires additional data to be send for setting up an encrypted connection, and thus results in a small DNS look-up time penalty.
Note that in "opportunistic" mode the resolver is not capable of authenticating the server, so it is vulnerable to "man-in-the-middle" attacks.
In addition to this global DNSOverTLS= setting systemd-networkd.service(8) also maintains per-link DNSOverTLS= settings. For system DNS servers (see above), only the global
DNSOverTLS= setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead.
Defaults to "no".
Added in version 239.
1 Like
It is okay /etc/systemd/resolved.conf is not there already. Copy initial version from sudo cp /usr/share/systemd/system/resolved.conf /etc/systemd/resolved.conf. Then edit the file by sudo -e /etc/systemd/resolved.conf and set whatever is needed. You can edit it right from the start and set whatever needed. Default configuration has everything commented out.
Note: You likely should configure also NetworkManager to change DNSOverTLS for per-interface settings. When it receives domain from local DHCP, it often fail to resolve on those domains. resolved.conf does not have good way to configure it there.
# /etc/NetworkManager/conf.d/50-dns-over-tls.conf
[connection]
connection.dns-over-tls = opportunistic
If you want to use global DNS over TLS only, you have to set ipv4.ignore-auto-dns = yes and ipv6.ignore-auto-dns=yes on every connection you create.
Not sure about Silverblue, but this is what I did on Workstation for Quad9:
sudo mkdir -p '/etc/systemd/resolved.conf.d' && sudo -e '/etc/systemd/resolved.conf.d/99-dns-over-tls.conf' && sudo restorecon -F -I '/etc/systemd/resolved.conf.d/99-dns-over-tls.conf'
[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSOverTLS=yes
# End