There doesn’t seem to be any information readily available about how to specify DNS in Fedora Silverblue.
This thread dead ends →
Since the ostree is Immutable, configuring Firefox won’t work and that wouldn’t be systemwide anyway.
I would like TLS or DOH encrypted DNS for all traffic.
I have in mind DNS like these providers:
1.1.1.3 Cloudflare
9.9.9.9 Quadnine
ns2.va.us.dns.opennic.glue
ns2.ny.us.dns.opennic.glue
ns23.de.dns.opennic.glue
Please share others that you would recommend besides 8.8.8.8
I do not know about better trustworthy list of global providers. Of course some local providers might provide good service, while following local regulations for privacy protection.
I think toolbox container would not work, but I don’t use it often and haven’t tried. We have dnscrypt-proxy rpm package in Fedora. I would recommend unbound for DoT implementation, it but requires some manual configuration. Never used it on Silverblue or other ostree based distribution though.
While much of the filesystem is immutable, Silverblue supports changing configuration under /etc, where your DNS resolver settings would be configured (i.e. /etc/resolv.conf)
YMMV, but on my host /etc/resolv.conf is symlinked to /run/systemd/resolve/stub-resolv.conf and is managed by systemd-resolved.service
You should understand how your DNS resolver configuration is managed on your host and then make changes to your DNS resolver config as needed.
Yes, turns out that the system resolver works much like standard Workstation.
Some networks block private DNS, oddly enough though. VPN works and tor bridge, but why block encrypted DNS? Why would any sysadmin block Cloudflare? If I was sysadmin, I would increase the QoS of secure and private DNS.
Having worked some more with Silverblue and figured out how to do automatic updates with ostree and add flatpack, etc, I would definitely recommend it. Some very cool design features!
Shameless plug, use OpenDNS! There is DoH support too. I use it on all my devices at home and it performs great. I set up my daughter’s tablet to use the family shield and can confirm it works as desired, no bad sites (yeah it’s weird to test those things on your kids’ devices but you have to to know it works).
If you look at man resolved.conf You will find the files that are looked at by the systemd-resolved.service. The only two mutable areas here are /etc/systemd/resolved.conf and /etc/systemd/resolved.conf.d/*.conf . I would suggest copying the immutable example file /usr/lib/systemd/resolved.conf into /etc/systemd/resolved.conf.d/.conf Then modify the DNS= and FallbackDNS= lines as well as the Domains= lines.
I’ve confirmed on my system that this changes the GLOBAL scope via resolvectl status after a reboot, the options persisted.