Secure name resolution with DNS-over-TLS
What's the Name?
Ordinary DNS sends queries in plaintext. If you're looking for something safer, dial up the privacy with DNS-over-TLS.
In the constantly shifting terrain of network security and administration, the demand for robust privacy measures is at an all-time high. Modern organizations navigate a complex digital ecosystem, often grappling with threats that compromise the integrity of their data and communications. Enter Linux's advanced networking capabilities paired with the security fortifications of DNS-over-TLS – a fusion that promises heightened security levels. This article examines how this integration elevates network privacy, enhancing protection against potential cyberthreats while maintaining seamless communication flows in intricate digital landscapes.
The Problem
At its core, the Domain Name System (DNS) acts as the Internet's directory. Every time a user inputs a domain name into their browser, DNS is the mechanism that translates this human-readable address into a machine-recognizable IP address. For IT professionals, this is Networking 101. Every web application, every cloud service, and every remote server connection hinges on the reliable functioning of DNS.
However, a key flaw permeates traditional DNS. The process, which involves converting domain names into IP addresses, operates in plaintext. The absence of encryption exposes a significant vulnerability, as plaintext communication can be intercepted, viewed, or even manipulated by malicious actors.
Every time a DNS query occurs, anyone with the necessary tools can see which website or service a user is trying to access. This opens the door to a plethora of security threats: from eavesdropping by curious hackers to more orchestrated man-in-the-middle attacks where query responses are manipulated to redirect users to malicious sites.
In the evolving world of cybersecurity, where threats grow in sophistication each day, IT professionals understand that the status quo of DNS communication is not tenable. This is where DNS-over-TLS enters the picture, promising a more secure iteration of this foundational Internet protocol.
Introducing DNS-over-TLS
DNS-over-TLS (DoT) is a fortified version of traditional DNS. At its essence, DoT takes the conventional DNS system and envelops it within the Transport Layer Security (TLS) protocol, thereby providing an encrypted channel for DNS queries.
For IT professionals familiar with the transition from HTTP to HTTPS (thanks to SSL/TLS encryption), the concept here is analogous. While HTTPS encrypts our web-browsing activities, DoT aims to encrypt our domain lookup activities.
The process begins when a client wants to resolve a domain name. Instead of sending a plaintext query, the client establishes a TLS connection to the DNS server. Within this encrypted connection, the DNS query is sent securely. This guarantees that intermediaries, be it ISPs or potential attackers, cannot view or tamper with the DNS traffic.
The key advantages of DoT are:
- End-to-end encryption: With DoT, DNS queries are encrypted from the source (the client) to the destination (the DNS resolver). This ensures complete confidentiality of the user's DNS queries.
- Data integrity: The TLS protocol ensures that the data packets, both queries and responses, remain inviolate. Any attempt at tampering is quickly detected, preventing potential redirection attacks.
- Server authentication: DoT facilitates the authentication of DNS servers. When the client establishes a TLS connection, it can verify the server's certificate, ensuring that it's connecting to a legitimate DNS server and not a malicious imitation.
Ensuring System Readiness
For a seamless transition to DNS-over-TLS, the system's readiness is paramount. Given that the majority of servers run on Linux-based systems, I'll focus on requirements specific to Linux, which include:
- Operating system: A Linux distribution should be in place. Ubuntu, with its extensive community support and robust performance, serves as an excellent platform for DoT implementation.
- User access: It's essential to have root or sudo access. This is necessary for installing packages, modifying system configurations, and restarting services.
As for the server side, it is worth mentioning that you'll need to connect to a DNS server that also supports DoT.
To utilize DoT over the systemd name service systemd-resolved
, your systemd version must be 239 or above. This is essential because earlier versions don't support the DNSOverTLS
option.
To check the version number, type
systemd --version
If your version is below 239, consider a system update; DoT support might be a compelling reason to access the newer features of systemd. By default, systemd-resolved
is enabled on recent Ubuntu releases. It's a system service that manages network names and resolves them.
Too ensure systemd-resolved
is running, enter:
sudo systemctl enable systemd-resolved.service sudo systemctl start systemd-resolved.service
The central configuration file for systemd-resolved
is /etc/systemd/resolved.conf
.
Open it using
sudo nano /etc/systemd/resolved.conf
Within this file, DNS
sets the DNS servers systemd-resolved
should use. For my setup, I utilize Cloudflare's DNS servers, which support DoT. FallbackDNS
is a backup; if the primary DNS servers fail, these servers are consulted. Finally, activating DNSOverTLS
(set to yes
) ensures DNS queries are encrypted.
The configuration lines should look like:
[Resolve] DNS=1.1.1.1 1.0.0.1 FallbackDNS=8.8.8.8 8.8.4.4 DNSOverTLS=yes
Press Ctrl+X, then Y, and Enter to save and exit the nano editor.
Reactivate the service to apply changes:
sudo systemctl restart systemd-resolved
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.
-
Linux Market Share Hits New High
For the first time, the Linux market share has reached a new high for desktops, and the trend looks like it will continue.
-
LibreOffice 24.8 Delivers New Features
LibreOffice is often considered the de facto standard office suite for the Linux operating system.
-
Deepin 23 Offers Wayland Support and New AI Tool
Deepin has been considered one of the most beautiful desktop operating systems for a long time and the arrival of version 23 has bolstered that reputation.
-
CachyOS Adds Support for System76's COSMIC Desktop
The August 2024 release of CachyOS includes support for the COSMIC desktop as well as some important bits for video.
-
Linux Foundation Adopts OMI to Foster Ethical LLMs
The Open Model Initiative hopes to create community LLMs that rival proprietary models but avoid restrictive licensing that limits usage.
-
Ubuntu 24.10 to Include the Latest Linux Kernel
Ubuntu users have grown accustomed to their favorite distribution shipping with a kernel that's not quite as up-to-date as other distros but that changes with 24.10.
-
Plasma Desktop 6.1.4 Release Includes Improvements and Bug Fixes
The latest release from the KDE team improves the KWin window and composite managers and plenty of fixes.
-
Manjaro Team Tests Immutable Version of its Arch-Based Distribution
If you're a fan of immutable operating systems, you'll be thrilled to know that the Manjaro team is working on an immutable spin that is now available for testing.