Systemwide DNS in Silverblue/Kinoite - Override DNS settings for DoT

Hi Everyone! :blush:

I am new to Fedora. I am using Kinoite but I have also specified Silverblue in the title because most issues I have been able to overcome so far has been from reading Silverblue documentation haha.

One hurdle I have been unable to overcome is how to get system-wide DNS over TLS or DNS over HTTPS on my system. My setup is that I am primarily using a Wireguard configuration from my VPN provider through Network Manager. My VPN is ipv4 only.

So, if I go into my NetworkManager I see three networks:

  1. My wired ethernet connection. The IPv4 tab method is set to automatic. The ā€œDNS Serversā€ section is empty.
  2. My Wireguard VPN connection. The IPV4 tab is set to manual. The ā€œDNS Seversā€ section is completed with the standard IPv4 DNS servers for my DNS provider.
  3. lo - I understand this is irrelevant.

This set up is achieving:

  1. My computer wide system traffic is going through my VPN through the Wireguard profile. I can confirm this by visiting IP checking sites.
  2. My DNS connections are over standard, non-encrypted DNS to my chosen DNS provider from the Wireguard profile. I can confirm this by viewing the logs with my DNS provider.

What I want to change is that I want my DNS connections to be encrypted - either by DNS over TLS or DNS over HTTPS system-wide. Both options are supported by my DNS provider. I want this to apply even if, for example, I disabled my VPN. I would also like this to override any other DNS settings in network manager.

My question is: How can I achieve this? I have tried googling, I read this thread: Specifying Systemwide DNS in Silverblue, and Iā€™ve had a look into systemd-resolved but Iā€™ve hit a wall in my understanding! Does anyone have any advice or guidance they can share? :blush:

1 Like

Added atomic-desktops, security and removed silverblue

this is not specific to atomic desktops

but you can place an override file for systemd resolved, which does the DNS stuff, in /etc/systemd/resolved.conf.d/somename.conf

this is way cleaner than editing the resolved.conf itself, and in the case of atomic desktops, sometimes allows for updates to fix existing files

example:

Edit: See further comments from others below - this was not entirely correct!

Thank you. This set me down the right path. I believe I have resolved it now - although itā€™s still not entirely clear to me how it works, it does appear to be working.

This is what I did, for anyone looking at this in the future.

In command line:

sudo mkdir -p /etc/systemd/resolved.conf.d

This created a ā€œresolved.conf.dā€ directory.

I then created a file called dns_servers.conf in the new directory. The contents of the dns_servers.conf was what I copied and pasted from my DNS provider. It looked similar to this:

[Resolve]
DNS=XXXX.XXXX.XXX
DNS=XXXX.XXXX.XXX
DNS=XXXX.XXXX.XXX
DNS=XXXX.XXXX.XXX
DNSOverTLS=yes

I saved the file.

This is I believe a systemd-resolved configuration file that sets a system-wide DNS on the PC - which is what I was trying to achieve.

I then ran:

sudo systemctl restart systemd-resolved

This restarted systemd-resolved with my new configuration.

I then removed the manual DNS settings I had put in Network Manager.

I then restarted my PC.

On launch, I can see with my DNS provider that all requests are now coming from DNS Over TLS.

I also ran ā€œresolvectl statusā€ in command line and I can see a ā€œglobalā€ entry that shows DNS Over TLS is enabled and the DNS servers etc. it is using.

this is not completely correct. see the manual on that file here:

https://www.freedesktop.org/software/systemd/man/latest/resolved.conf.html

I think that should be man resolved.conf

DNS=1 2 3
FallbackDNS=4 5 6

Using override files if supported is really good practice, as you never touch the original files.

Having an override file for a specific config or settings-type helps.

This would get wrong results. Because systemd-resolved it a bit weird. If your resolvectl status command contains +DefaultRoute and DNS servers also on your link, resolved will send your name queries both to servers specified in Global and in Link.

You can direct all your queries into VPN connection by appending ~. to ipv4.dns-search property in Network Manager. You can ignore network provided DNS by setting set ipv4.ignore-auto-dns yes in edit mode nmcli c edit $UUID. Replace $UUID by ethernet connection identification obtained by nmcli c command.

Then you can replace ipv4.dns server with addresses (#names), set also set connection.dns-over-tls yes, then save, activate, quit.

Thank you for this, my ethernet link was showing +DefaultRoute and undesired DNS servers.

I ran your nmcli commands and running resolvectl status now I now only see my desired DNS over TLS servers under ā€œglobalā€ and my other connections (ethernet, wireguard, lo) all have protocols that show -DefaultRoute and +DNSOverTLS and no individual DNS Servers, so I think itā€™s sorted. I appreciate it!

Based on the .conf file provided by my provider, the ā€œresolvectl statusā€ result for Global ends up looking like this:

Global
Protocols: LLMNR=resolve -mDNS +DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
Current DNS Server: XXX.XXX.XXX#XXXX.dns.xxxx.com
DNS Servers: XXX.XXX.XXX#XXXX.dns.xxxx.com XXX.XXX.XXX#XXXX.dns.xxxx.com XXX.XXX.XXX#XXXX.dns.xxxx.com XXX.XXX.XXX#XXXX.dns.xxxx.com

Are you suggesting this could be improved/is incorrect? I do not mind if the .conf file is not following the rules perfectly, as long as it will achieve the correct result.