I am new to Fedora. I am using Kinoite but I have also specified Silverblue in the title because most issues I have been able to overcome so far has been from reading Silverblue documentation haha.
One hurdle I have been unable to overcome is how to get system-wide DNS over TLS or DNS over HTTPS on my system. My setup is that I am primarily using a Wireguard configuration from my VPN provider through Network Manager. My VPN is ipv4 only.
So, if I go into my NetworkManager I see three networks:
My wired ethernet connection. The IPv4 tab method is set to automatic. The āDNS Serversā section is empty.
My Wireguard VPN connection. The IPV4 tab is set to manual. The āDNS Seversā section is completed with the standard IPv4 DNS servers for my DNS provider.
lo - I understand this is irrelevant.
This set up is achieving:
My computer wide system traffic is going through my VPN through the Wireguard profile. I can confirm this by visiting IP checking sites.
My DNS connections are over standard, non-encrypted DNS to my chosen DNS provider from the Wireguard profile. I can confirm this by viewing the logs with my DNS provider.
What I want to change is that I want my DNS connections to be encrypted - either by DNS over TLS or DNS over HTTPS system-wide. Both options are supported by my DNS provider. I want this to apply even if, for example, I disabled my VPN. I would also like this to override any other DNS settings in network manager.
My question is: How can I achieve this? I have tried googling, I read this thread: Specifying Systemwide DNS in Silverblue, and Iāve had a look into systemd-resolved but Iāve hit a wall in my understanding! Does anyone have any advice or guidance they can share?
Edit: See further comments from others below - this was not entirely correct!
Thank you. This set me down the right path. I believe I have resolved it now - although itās still not entirely clear to me how it works, it does appear to be working.
This is what I did, for anyone looking at this in the future.
In command line:
sudo mkdir -p /etc/systemd/resolved.conf.d
This created a āresolved.conf.dā directory.
I then created a file called dns_servers.conf in the new directory. The contents of the dns_servers.conf was what I copied and pasted from my DNS provider. It looked similar to this:
This is I believe a systemd-resolved configuration file that sets a system-wide DNS on the PC - which is what I was trying to achieve.
I then ran:
sudo systemctl restart systemd-resolved
This restarted systemd-resolved with my new configuration.
I then removed the manual DNS settings I had put in Network Manager.
I then restarted my PC.
On launch, I can see with my DNS provider that all requests are now coming from DNS Over TLS.
I also ran āresolvectl statusā in command line and I can see a āglobalā entry that shows DNS Over TLS is enabled and the DNS servers etc. it is using.
This would get wrong results. Because systemd-resolved it a bit weird. If your resolvectl status command contains +DefaultRoute and DNS servers also on your link, resolved will send your name queries both to servers specified in Global and in Link.
You can direct all your queries into VPN connection by appending ~. to ipv4.dns-search property in Network Manager. You can ignore network provided DNS by setting set ipv4.ignore-auto-dns yes in edit mode nmcli c edit $UUID. Replace $UUID by ethernet connection identification obtained by nmcli c command.
Then you can replace ipv4.dns server with addresses (#names), set also set connection.dns-over-tls yes, then save, activate, quit.
Thank you for this, my ethernet link was showing +DefaultRoute and undesired DNS servers.
I ran your nmcli commands and running resolvectl status now I now only see my desired DNS over TLS servers under āglobalā and my other connections (ethernet, wireguard, lo) all have protocols that show -DefaultRoute and +DNSOverTLS and no individual DNS Servers, so I think itās sorted. I appreciate it!
Are you suggesting this could be improved/is incorrect? I do not mind if the .conf file is not following the rules perfectly, as long as it will achieve the correct result.