Today we increasingly saw the importance of privacy and security in computing. This includes our browsing activity, which now needs protection even more than before. This tutorial will help you enable DNS over TLS (DoT) on Ubuntu using Quad9 service, an alternative technology to DNSCrypt or DoH, that helps preventing anybody to wiretap and/or hijack what website you are visiting on web browser. This feature is already built-in on Ubuntu 22.04 LTS Jammy Jellyfish and we do not need to install additional software.
Subscribe to UbuntuBuzz Telegram Channel to get article updates.
Overview
We will enable ability to encrypt DNS queries system-wide on Ubuntu. This means all applications including web browser and chat messengers will be protected without individual setup in each one of them. The difference to the usual is that this uses TLS instead of HTTPS, thus called DNS over TLS (DoT). This feature is part of systemd-resolved program preinstalled on Ubuntu. Lastly, we would love to thank Quad9 the free secure DNS provider we picked here.
Configure Systemd-Resolved
Step 1. Edit your /etc/systemd/resolved.conf by adding the following single line of text.
DNSOverTLS=yes
Step 2. Save the configuration and continue next step.
Configure Network Manager
It's quickest to configure by clicks your Network Manager:
Step 1. Click wifi logo on top.
Step 2. Click Wifi Settings.
Step 3. Click Gear logo on the connected Wifi network you use daily.
Step 4. Enter two IP address numbers of Quad9 DNS servers.
9.9.9.9, 149.112.112.112
Step 5. Enter two IPv6 address numbers of Quad9, if you use IPv6.
2620:fe::fe, 2620:fe::9
Step 6. Save the configuration and continue next step.
Restart the Services
Restart your computer is the easiest way, otherwise do the two command lines below. Continue next step after that.
$ sudo systemctl restart systemd-resolved
$ sudo systemctl restart NetworkManager
Testing
There are three ways to test this new configuration.
Option 1. is by using Terminal and Firefox simultaneously. Open your Terminal then type sudo tcpdump -i 'port 853' while at the same time open Firefox to visit www.ubuntubuzz.com. It should displays many messages going via Quad9 addresses.
Option 2. is by visiting a certain website that's able to test your DNS security. In Quad9 case, visit https://on.quad9.net. The page will say "YES" if your configuration is correct, otherwise "NO".
Option 3. is, the clearest way, to visit any website previously you could not visit, also known as blocked / wiretapped / hijacked, in your country. For example, in Indonesia now we can visit reddit.com.
Browse the Internet
Finally, now you can surf the web with ease in mind. Please bear in mind that security is a fast moving thing and when this article get obsolete sooner or later in the future you should find another way to secure your internet access. Thank you and see you next time!
(Visiting /r/Ubuntu is now okay!)
References
Setup DNS over TLS on Ubuntu by Quad9
List of Quad9 DNS Servers' IP Addresses
Enabling DNS over HTTPS and ESNI on Firefox
This article is licensed under CC BY-SA 3.0.