Secure name resolution with DNS-over-TLS

What's the Name?

© Photo by Ainur Iman on Unsplash

© Photo by Ainur Iman on Unsplash

Article from Issue 277/2023

Ordinary DNS sends queries in plaintext. If you're looking for something safer, dial up the privacy with DNS-over-TLS.

In the constantly shifting terrain of network security and administration, the demand for robust privacy measures is at an all-time high. Modern organizations navigate a complex digital ecosystem, often grappling with threats that compromise the integrity of their data and communications. Enter Linux's advanced networking capabilities paired with the security fortifications of DNS-over-TLS – a fusion that promises heightened security levels. This article examines how this integration elevates network privacy, enhancing protection against potential cyberthreats while maintaining seamless communication flows in intricate digital landscapes.

The Problem

At its core, the Domain Name System (DNS) acts as the Internet's directory. Every time a user inputs a domain name into their browser, DNS is the mechanism that translates this human-readable address into a machine-recognizable IP address. For IT professionals, this is Networking 101. Every web application, every cloud service, and every remote server connection hinges on the reliable functioning of DNS.

However, a key flaw permeates traditional DNS. The process, which involves converting domain names into IP addresses, operates in plaintext. The absence of encryption exposes a significant vulnerability, as plaintext communication can be intercepted, viewed, or even manipulated by malicious actors.

Every time a DNS query occurs, anyone with the necessary tools can see which website or service a user is trying to access. This opens the door to a plethora of security threats: from eavesdropping by curious hackers to more orchestrated man-in-the-middle attacks where query responses are manipulated to redirect users to malicious sites.

In the evolving world of cybersecurity, where threats grow in sophistication each day, IT professionals understand that the status quo of DNS communication is not tenable. This is where DNS-over-TLS enters the picture, promising a more secure iteration of this foundational Internet protocol.

Introducing DNS-over-TLS

DNS-over-TLS (DoT) is a fortified version of traditional DNS. At its essence, DoT takes the conventional DNS system and envelops it within the Transport Layer Security (TLS) protocol, thereby providing an encrypted channel for DNS queries.

For IT professionals familiar with the transition from HTTP to HTTPS (thanks to SSL/TLS encryption), the concept here is analogous. While HTTPS encrypts our web-browsing activities, DoT aims to encrypt our domain lookup activities.

The process begins when a client wants to resolve a domain name. Instead of sending a plaintext query, the client establishes a TLS connection to the DNS server. Within this encrypted connection, the DNS query is sent securely. This guarantees that intermediaries, be it ISPs or potential attackers, cannot view or tamper with the DNS traffic.

The key advantages of DoT are:

  • End-to-end encryption: With DoT, DNS queries are encrypted from the source (the client) to the destination (the DNS resolver). This ensures complete confidentiality of the user's DNS queries.
  • Data integrity: The TLS protocol ensures that the data packets, both queries and responses, remain inviolate. Any attempt at tampering is quickly detected, preventing potential redirection attacks.
  • Server authentication: DoT facilitates the authentication of DNS servers. When the client establishes a TLS connection, it can verify the server's certificate, ensuring that it's connecting to a legitimate DNS server and not a malicious imitation.

Ensuring System Readiness

For a seamless transition to DNS-over-TLS, the system's readiness is paramount. Given that the majority of servers run on Linux-based systems, I'll focus on requirements specific to Linux, which include:

  • Operating system: A Linux distribution should be in place. Ubuntu, with its extensive community support and robust performance, serves as an excellent platform for DoT implementation.
  • User access: It's essential to have root or sudo access. This is necessary for installing packages, modifying system configurations, and restarting services.

As for the server side, it is worth mentioning that you'll need to connect to a DNS server that also supports DoT.

To utilize DoT over the systemd name service systemd-resolved, your systemd version must be 239 or above. This is essential because earlier versions don't support the DNSOverTLS option.

To check the version number, type

systemd --version

If your version is below 239, consider a system update; DoT support might be a compelling reason to access the newer features of systemd. By default, systemd-resolved is enabled on recent Ubuntu releases. It's a system service that manages network names and resolves them.

Too ensure systemd-resolved is running, enter:

sudo systemctl enable systemd-resolved.service
sudo systemctl start systemd-resolved.service

The central configuration file for systemd-resolved is /etc/systemd/resolved.conf.

Open it using

sudo nano /etc/systemd/resolved.conf

Within this file, DNS sets the DNS servers systemd-resolved should use. For my setup, I utilize Cloudflare's DNS servers, which support DoT. FallbackDNS is a backup; if the primary DNS servers fail, these servers are consulted. Finally, activating DNSOverTLS (set to yes) ensures DNS queries are encrypted.

The configuration lines should look like:


Press Ctrl+X, then Y, and Enter to save and exit the nano editor.

Reactivate the service to apply changes:

sudo systemctl restart systemd-resolved

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Portmaster

    Security and anonymization play an increasingly important role on the Internet due to the endless appetite of Internet companies for personal data. Portmaster and the Safing Privacy Network will help you protect your privacy – even if you're not a security expert.

  • systemd-networkd

    The new networkd component of the systemd project supports basic network configuration. Despite its early stage of development, one thing is clear: This is a daemon with brains.

  • Professor Knopper's Lab – Removing systemd

    The systemd service manager has been widely adopted by many Linux distros, so why would you want to remove it? The professor reveals why and how.

  • iNet Wireless Daemon

    Intel's iNet wireless daemon offers virtually all of the features found in the obsolete WPA Supplicant, and it is smaller by a factor of 10.

  • Systemd Graphical Tools

    Systemd has won the race, as indicated by the several tools that already offer a service just a mouse click away. We look at six of these tools.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More