Ade Malsasa Akbar contact
Senior author, Open Source enthusiast.
Tuesday, July 25, 2023 at 22:53

This tutorial will help you setup DoT (short for DNS over TLS) security into your Debian 12 Bookworm. With this, we hope you will have a very secure internet access so nobody can forcefully block or redirect your browsing activities in the middle especially for your dns line. This article complements our both Debian 12 Install Guide and After Install Recommendation. We choose here a secure public dns service that serves DoT --Quad9 from Swiss-- to replace our internet service provider's one which does not support it. We hope this will be helpful for you.

 


Subscribe to UbuntuBuzz Telegram Channel to get article updates.

 

Requirements

 
You are required to choose a secure DNS over TLS (DoT) service that provides you IP addresses to replace default IP address given by your internet service provider. There are many of such provider such as Quad9, NextDNS, DNS.SB, etc. We use in this article Quad9 service with their two IP addresses:

9.9.9.9
149.112.112.112

 

1. Install bind9

On our Debian Bookworm, the required tools like 'dig' are not yet installed built-in so we need to install them manually:

$ sudo apt install bind9-dnsutils


2. Install systemd-resolved

On Debian Bookworm we installed (live gnome edition), the required software package 'systemd-resolved' is not installed so we should do it:

$ sudo apt-get install systemd-resolved
$ sudo systemctl enable --now systemd-resolved

 

3. Configure System DNS Settings

 

3.1. Via Terminal

Now we need to edit resolved.conf text file of systemd-resolved:

$ sudo nano /etc/systemd/resolved.conf

For example if we use Quad9 DNS, then the resolved.conf content will look like below:

[Resolve]
DNS=9.9.9.9,149.112.112.112
DNSOverTLS=yes
DNSSEC=yes

Viewed from Terminal, it will look like below. Read the white lines without beginning hashtags. Please ignore any unrelated lines. 



 

3.2. Via Graphical User Interface (GUI)

We also need to edit DNS addresses in the graphical network manager if we use Debian 12 GNOME Desktop. 

  • Click network icon to the top panel. 
  • Click All Network. 
  • System Settings will show 'Wifi' or 'Network' configuration. 
  • Click gear icon to the currently connected network. For example, ours is "aming".
  • A configuration dialog will show.
  • Open IPv4 tab. 
  • Disable "Automatic" option on DNS section.
  • Fill in DNS addresses into DNS input box. See picture below.
  • Click Apply. 
  • Do this for every network you are usually connected to such as wifi, cable network, usb tethering etc.

4. Enable DNS

To enable DNS security, you can either restart your system or simply restart the service like example below.
$ sudo systemctl restart systemd-resolved 


5. Confirm if DoT is working

 

5.1. Using Firefox

Visit on.quad9.net and you should see the page says "Yes, you ARE using quad9" meaning your DNS is secure i.e. encrypted over TLS. 

 


5.2. Using Terminal 

If we use Quad9 addresses, run command lines below and they should show replies from Quad9 servers like shown below. Otherwise, your DNS over TLS is failed and you should reconfigure it.

First command and expected result if it works:

$ dig +short txt proto.on.quad9.net
dot.

Second command and expected result if it works:

$ dig +short txt id.server.on.quad9.net
res231.qsin1.on.quad9.net.

 Third command and expected result if it works:

$ resolvectl status 
Link 4 (enx023137500552)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9 149.112.112.112

Picture below shows how these three commands confirm DNS over TLS is working as expected. 



6. Enable or Disable DoT

To enable DoT, finish step number 3 to 5. 

To disable DoT, basically you need to reverse what you did in step number 3 to 5 back to its default configuration. Simply write a hashtag in beginning of every edited line like below.

[Resolve]
#DNS=9.9.9.9,149.112.112.112
#DNSOverTLS=yes
#DNSSEC=yes

That's all the configuration. Happy browsing!

References 


 
 
 


This article is licensed under CC BY-SA 3.0.