Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[Resolved] Enable DNS over TLS on Debian 11 stable

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

[Resolved] Enable DNS over TLS on Debian 11 stable

#1 Post by Diesel330 »

I have no firewall enabled.

What I have done:

I have edited my /etc/systemd/resolved.conf file like this:

Code: Select all

$ cat /etc/systemd/resolved.conf
DNS=9.9.9.9
FallbackDNS=149.112.112.112
Domains=~.
DNSSEC=yes
DNSSEC=allow-downgrade
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
Systemd-resolved service is not enabled by default in Debian so enebled it with those two comands:

Code: Select all

sudo systemctl enable systemd-resolved.service
sudo systemctl start systemd-resolved.service
And now I have this info with $ resolvectl status:

Code: Select all

$ resolvectl status
Global
       Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: foreign

Link 2 (wwx582c80139263)
    Current Scopes: DNS LLMNR/IPv4
         Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9 149.112.112.112

Link 3 (wlp1s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Both

Code: Select all

tcpdump -i any port 53
and

Code: Select all

tcpdump -i any
they fill the terminal with data when I visit a page with the browser

While

Code: Select all

tcpdump -i any port 853
does nothing. Port 853 is the port that DNS over TLS protocol communicates so I should have traffic on this port. Any ideas on how to fix this are welcomed
Last edited by Diesel330 on 2023-02-09 15:22, edited 2 times in total.

User avatar
cds60601
df -h | participant
df -h | participant
Posts: 706
Joined: 2017-11-25 05:58
Location: Florida
Has thanked: 129 times
Been thanked: 60 times

Re: Enable DNS over TLS on Debian 11 stable

#2 Post by cds60601 »

What browser are you using? I think FF has a setting to use for dns over https. Might want to see that also to see if that is an issue or not.
Supercalifragilisticexpialidocious

User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

Re: Enable DNS over TLS on Debian 11 stable

#3 Post by Diesel330 »

Yes I have enable DNS over HTTPS on Firefox... should I disable it? I have no other browser only Firefox

Edit: I disabled DNS over HTTPS on Firefox, I restart the program and I still not have any traffic on port 853

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Enable DNS over TLS on Debian 11 stable

#4 Post by reinob »

Can you check the contents of /etc/resolv.conf?

It may be that systemd-resolved is running, but if it's not being used..
(that "resolv.conf mode: foreign" looks weird, so check that).

User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

Re: Enable DNS over TLS on Debian 11 stable

#5 Post by Diesel330 »

Code: Select all

$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 9.9.9.9
nameserver 149.112.112.112

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Enable DNS over TLS on Debian 11 stable

#6 Post by reinob »

OK, so you're using 9.9.9.9 and 149.112.112.112 as good old UDP/53 resolvers.

If you want to use systemd-resolved you have to configure /etc/resolv.conf accordingly, i.e.

Code: Select all

nameserver 127.0.0.53
You can also consult the systemd-resolved manual (man systemd-resolved).

Cheers.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Enable DNS over TLS on Debian 11 stable

#7 Post by reinob »

also note that for DNSoverTLS you may need to provide the SNI, so in resolved.conf (NOT resolv.conf!) instead of

Code: Select all

DNS=9.9.9.9
you will need

Code: Select all

DNS=9.9.9.9#dns.quad9.net
no idea about the other one (your fallback).

User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

Re: Enable DNS over TLS on Debian 11 stable

#8 Post by Diesel330 »

reinob wrote: 2023-02-08 19:43 no idea about the other one (your fallback).
Thanks for the replies, the 149.112.112.112 I found it in this page: https://www.quad9.net/ together with the 9.9.9.9.

User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

Re: Enable DNS over TLS on Debian 11 stable

#9 Post by Diesel330 »

I edited my /etc/resolv.conf like this:

Code: Select all

# Generated by NetworkManager
nameserver 127.0.0.53
And I also edited my /etc/systemd/resolved.conf like this:

Code: Select all

$ cat /etc/systemd/resolved.conf
DNS=9.9.9.9#dns.quad9.net
FallbackDNS=149.112.112.112
Domains=~.
DNSSEC=yes
DNSSEC=allow-downgrade
DNSOverTLS=yes
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
Still no traffic in port 853, any ideas are welcomed

The weird is that I still have internet

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Enable DNS over TLS on Debian 11 stable

#10 Post by reinob »

Weird. Maybe just to make sure that systemd-resolved is working correctly, try something like

Code: Select all

$ resolvectl query archlinux.org
archlinux.org: 2a01:4f8:172:1d86::1
               138.201.81.199
(taken from https://wiki.archlinux.org/title/Systemd-resolved).

When you run the resolvectl, check with tcpdump if port 53 or 853 is used. Note that 853 is DNS over TLS (DoT), but if you test with a browser they usually support DNS over HTTPS (DoH), which is not the same, and uses port 443.

User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

Re: Enable DNS over TLS on Debian 11 stable

#11 Post by Diesel330 »

I've had this result:

Code: Select all

$  resolvectl query archlinux.org
archlinux.org: 2a01:4f9:c010:6b1f::1          
               95.217.163.246                 
And I have lots of traffic in port 443 when I use the browser

User avatar
Diesel330
Posts: 127
Joined: 2021-11-08 19:57
Location: Eastern Europe
Has thanked: 29 times
Been thanked: 16 times

Re: Enable DNS over TLS on Debian 11 stable

#12 Post by Diesel330 »

It finally worked, Thank you man for the help, as soon as I disabled DNS over HTTPS from the browser I got all the traffic in port 853, I did not change the configuration I posted above, It just works

User avatar
cds60601
df -h | participant
df -h | participant
Posts: 706
Joined: 2017-11-25 05:58
Location: Florida
Has thanked: 129 times
Been thanked: 60 times

Re: Enable DNS over TLS on Debian 11 stable

#13 Post by cds60601 »

Please mark the subject with [Resolved] before your actual topic.
Supercalifragilisticexpialidocious

Post Reply