How to setup encrypted dns DNS-over-TLS (DoT) for full system custom dot server in fedora 34,35beta

how to add custom dns server like DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) protocol over full system fedora 35 have dot but i did not find it dot is a good protocol for dns and it can save you from isp and many more.although it can be done through cloudflared/systemd-resolved but official support is needed
android already have this feature easy setup since P

i dont know if this feature is still not introduced in fedora please do consider it in fedora 36.
who ever is seeing this post please send this request to our devs to introduce this feature.
this is critical for security.

Hi,

Looks like dot with systemd-resolved (if your upstream resolvers support it) will be the default in 35, according to this:

https://fedoraproject.org/wiki/Changes/DNS_Over_TLS#Release_Notes

Thanks Tom.

2 Likes

Select a suitable DoT provider:
https://en.wikipedia.org/wiki/Public_recursive_name_server

Then you can enable and configure DoT like this:
https://discussion.fedoraproject.org/t/dns-resolution-broken/67067/2?u=vgaetera

Yes it is not that easy to do like if i want to add a dns server such as 1dot1dot1dot1.cloudflare-dns.com as a dot server which we can add in like android.

Note that systemd-resolved only supports DoT, not DoH.

1 Like

Yes i find it but a gui interface will be nice for custom dot server additions

Yes I know that it only support dot not doh for instance
Dot is like dns.adguard.com
Doh is like https://dns.adguard.com/dns-query

You need to specify DoT provider by IP.
DoT by domain name is not supported yet.

Yes i know, that is why i am requesting for that please give feedback to the Fedora developer so that we get a option to add dot with domain like interface thank you.

Your original question about enabling and configuring DoT has already been answered above.
Specifying DoT providers by domain name is a separate feature which is not supported yet.
This is not really a Fedora-specific problem, so you’d best make an upstream feature request.

Sample …
Use dnscrypt-proxy?
https://dnscrypt.info/

systemctl stop systemd-resolved
systemctl disable systemd-resolved

Download and copy /opt/dnscrypt-proxy/
cd /opt/dnscrypt-proxy/
copy example-dnscrypt-proxy.toml to dnscrypt-proxy.toml
nano /opt/dnscrypt-proxy/dnscrypt-proxy.toml

sample
server_names = [‘cloudflare-security-ipv6’, ‘cloudflare-security’]
we can choose list: public-resolvers.md (first restart dnscrypt-proxy)

./dnscrypt-proxy -service install
./dnscrypt-proxy -service uninstall
./dnscrypt-proxy -service start
./dnscrypt-proxy -service restart
./dnscrypt-proxy -service stop

remove slink /etc/resolv.conf
(default slink resolv.conf /run/systemd/resolve/stub.resolv.conf)

nano /etc/resolv.conf
nameserver ::1
nemaserver 127.0.0.1
options edns0

https://github.com/systemd/systemd/issues/21137#issue-1036645192